Confused about Sub keys.

Simon Dwyer sdwyer at
Tue Jun 10 06:40:06 CEST 2008

That does make more sense.  Still a very confusing topic.  From what i
gather the fact that my emails are being signed and everything seems to
be working i will not worry about it too much.  Hope this post helps
others that come looking later with the same question. 

Thanks Faramir,


On Tue, 2008-06-10 at 00:17 -0400, Faramir wrote:
> Hash: SHA1
> Simon Dwyer escribió:
> > Hi everyone,
> > 
> > I am new  to all this and have been alot of reading.
> > 
> > One thing i cant get my head around is subkeys.  I have generated a sub
> > key with my master key and i undestand that.  All the commands and thing
> > i have been doing i have been using my master keys id... should i be
> > actively using my sub key? or does it just use it as i talk to people?
>   Hello, and yes, I think subkeys are confusing... I am still a bit
> confused... Anyway, there are a few things I understood, and they are:
> 1.- There are keys used to sign, and other keys used for
> encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt
> but not sign. RSA can do both functions, but the function intended for
> it must be defined at the moment of creating the key. And that is the
> reason to use "key pairs", because a singe key can't do both functions.
> 2.- You can make a key pair using DSA-Elgammal, or
> RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that.
> 3.- A key pair is always composed by a primary key (used to sign), and a
> subkey used to encrypt/decrypt.
> 4.- You can add more subkeys, for signing and for encrypting. But I
> don't have any idea about how does GnuPG chose what key is going to use...
> 5.- The primary key is the only key that can sign other keys.
> 6.- But if you have a signing subkey, and an encrypting subkey, you can
> use these subkeys pair to sign and encrypt... you can even export the
> secret keys and store them safe, then export the subkeys, delete the
> key, import the subkeys, and be able to do everything, except to sign
> other people's keys. You can revoke the subkeys, if they get
> compromised, and since the primary key would not be compromised, you can
> import it, make a new subkeys pair, and keep functioning with the same
> master key ID (so, you would not lose the signatures people have done to
> your key).
> 7.- If you delete a subkey used to encrypt, you won't be able to read
> messages sent to you encrypted for that subkey, so, if you have to
> revoke a subkey, do it, but never delete it.
>   And that is all I know about the subject...
>   So, you don't have to do anything to use your subkey, it is already
> being used anytime you need to encrypt/decrypt.
>  Regards
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla -
> mPj2SuSVKHYc5qZuLuGRxw+2gaXO8icMb91Fep58DTivvJFpat3KEkypWAPSyhH1
> 8pbm69l813Z1Ok+1uIaUXxEyaKQJOEnCejfp0qK+Ow7Yy+V61lBzl8shssll/Upb
> q5eUeaofqRdkujEOfKVdRd4KdsWS6+Giu+a+HbJiiwC5UjM5Js8qj94aFCYtXrfT
> b4CnYmTW89ekMz9iL51J9EBXzrkoZ4nQaLgQ875xLwsNyFjy+Cer5+j4+TziPz8j
> FgsV5t3AY8W7wLiMbMviiWJ0Uqv792Kjs85+qfMsDVp61jqCaX6MkBWzEBR3lQk=
> =zuH8
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20080610/98d359c6/attachment.pgp>

More information about the Gnupg-users mailing list