Ok implementing this I realized the obvious flaw: you can't use this key to sign other keys. And I can find no way to configure a subkey in GPG to do this (I suppose it might exist, GPG is dark and mysterious).
Surely, surely it would be easier to just make two keypairs, store the master and then sign your "daily driver" key? This seems like a lot of effort making gpg do things it doesn't want to do for little practical gain - the full perfect key is still ideally offline.
Surely, surely it would be easier to just make two keypairs, store the master and then sign your "daily driver" key? This seems like a lot of effort making gpg do things it doesn't want to do for little practical gain - the full perfect key is still ideally offline.