diff --git a/home/felschr-rpi4.nix b/home/felschr-rpi4.nix
index 2b1f759..e2e66fe 100644
--- a/home/felschr-rpi4.nix
+++ b/home/felschr-rpi4.nix
@@ -12,7 +12,8 @@
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
-    sshKeys = [ "4AE1DDE05F4BB6C8E220501F1336A98E89836D90" ];
+    # use auth subkey's keygrip: gpg2 -K --with-keygrip
+    sshKeys = [ "3C48489F3B0FBB44E72180D4B1D7541C201C9987" ];
     defaultCacheTtl = 600;
     defaultCacheTtlSsh = 600;
     pinentryFlavor = "curses";
diff --git a/home/felschr-work.nix b/home/felschr-work.nix
index 000a82f..2ab13fb 100644
--- a/home/felschr-work.nix
+++ b/home/felschr-work.nix
@@ -24,7 +24,8 @@ with pkgs; {
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
-    sshKeys = [ "967EC4516D18D0E1211FCFC38B1CAF89FF627FCA" ];
+    # use auth subkey's keygrip: gpg2 -K --with-keygrip
+    sshKeys = [ "8A6213DCDAF86BD3A63549FCFDF71B2C92DAE02C" ];
     defaultCacheTtl = 600;
     defaultCacheTtlSsh = 600;
     pinentryFlavor = "gnome3";
diff --git a/home/felschr.nix b/home/felschr.nix
index 11d282b..b1e8085 100644
--- a/home/felschr.nix
+++ b/home/felschr.nix
@@ -34,7 +34,11 @@
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
-    sshKeys = [ "4AE1DDE05F4BB6C8E220501F1336A98E89836D90" ];
+    # use auth subkey's keygrip: gpg2 -K --with-keygrip
+    sshKeys = [
+      "3C48489F3B0FBB44E72180D4B1D7541C201C9987"
+      "8A6213DCDAF86BD3A63549FCFDF71B2C92DAE02C"
+    ];
     defaultCacheTtl = 600;
     defaultCacheTtlSsh = 600;
     pinentryFlavor = "gnome3";
diff --git a/home/git.nix b/home/git.nix
index 2e9456e..ae5cb8d 100644
--- a/home/git.nix
+++ b/home/git.nix
@@ -7,13 +7,15 @@
       private = {
         name = "Felix Tenley";
         email = "dev@felschr.com";
-        signingKey = "6AB3 7A28 5420 9A41 82D9  0068 910A CB9F 6BD2 6F58";
+        # use sign subkey's fingerprint: gpg2 -K --with-subkey-fingerprint
+        signingKey = "7E08 6842 0934 AA1D 6821  1F2A 671E 39E6 744C 807D";
         dirs = [ "~/dev/private/" "/etc/nixos" ];
       };
       work = {
         name = "Felix Schröter";
         email = "fs@upsquared.com";
-        signingKey = "F28B FB74 4421 7580 5A49  2930 BE85 F0D9 987F A014";
+        # use sign subkey's fingerprint: gpg2 -K --with-subkey-fingerprint
+        signingKey = "16F6 4623 8B1C 80C4 6267  6FF9 4D13 24C5 006E 9B2E";
         dirs = [ "~/dev/work/" ];
       };
     };