trying to understand UID and subkeys

David Shaw dshaw at
Thu Mar 5 18:23:05 CET 2009

On Thu, Mar 05, 2009 at 12:14:24PM -0500, gerry_lowry (alliston ontario canada) wrote:
> David Shaw wrote, in part:
>     You can  have one subkey for encryption, one subkey for signing, and
>     leave your primary key for certification.
>     This lets you do tricks like keeping your primary key offline.
>     This is useful as the primary key is the most "valuable" key (since it can make more subkeys),
> Question # 1:  does primary key here mean "primary PUBLIC key"?

No.  Primary secret key.  There is no risk in keeping a primary public
key online.  It's public already.

> Question # 2:  without the pass phrase, how can one make more subkeys?

You cannot.  To make more subkeys you need both the passphrase and the
primary secret key.

> Question # 3:  what determines that a key is a "primary" key?
>                       (is it because --gen-key was used instead of --edit-key?)

Essentially, yes.  --gen-key always makes a primary key.  If you
accept the default, it also makes you a single subkey.  You can add
more subkeys to it later via --edit-key.

> Question # 4:  by offline, do you mean not on a keyserver?
>                       (versus not on your local hard disk?)

By offline I mean not even on your local hard disk.  Offline, say, on
a USB flash disk, or a CD-R.


More information about the Gnupg-users mailing list