Confused about Sub keys.

Faramir at
Tue Jun 10 06:17:46 CEST 2008

Hash: SHA1

Simon Dwyer escribió:
> Hi everyone,
> I am new  to all this and have been alot of reading.
> One thing i cant get my head around is subkeys.  I have generated a sub
> key with my master key and i undestand that.  All the commands and thing
> i have been doing i have been using my master keys id... should i be
> actively using my sub key? or does it just use it as i talk to people?

  Hello, and yes, I think subkeys are confusing... I am still a bit
confused... Anyway, there are a few things I understood, and they are:

1.- There are keys used to sign, and other keys used for
encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt
but not sign. RSA can do both functions, but the function intended for
it must be defined at the moment of creating the key. And that is the
reason to use "key pairs", because a singe key can't do both functions.

2.- You can make a key pair using DSA-Elgammal, or
RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that.

3.- A key pair is always composed by a primary key (used to sign), and a
subkey used to encrypt/decrypt.

4.- You can add more subkeys, for signing and for encrypting. But I
don't have any idea about how does GnuPG chose what key is going to use...

5.- The primary key is the only key that can sign other keys.

6.- But if you have a signing subkey, and an encrypting subkey, you can
use these subkeys pair to sign and encrypt... you can even export the
secret keys and store them safe, then export the subkeys, delete the
key, import the subkeys, and be able to do everything, except to sign
other people's keys. You can revoke the subkeys, if they get
compromised, and since the primary key would not be compromised, you can
import it, make a new subkeys pair, and keep functioning with the same
master key ID (so, you would not lose the signatures people have done to
your key).

7.- If you delete a subkey used to encrypt, you won't be able to read
messages sent to you encrypted for that subkey, so, if you have to
revoke a subkey, do it, but never delete it.

  And that is all I know about the subject...

  So, you don't have to do anything to use your subkey, it is already
being used anytime you need to encrypt/decrypt.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list