trying to understand UID and subkeys

Joseph Oreste Bruni jbruni at
Thu Mar 5 19:11:52 CET 2009

On Thursday, March 05, 2009, at 10:14AM, "gerry_lowry (alliston ontario canada)" <gerry.lowry at> wrote:
>David Shaw wrote, in part:
>    You can  have one subkey for encryption, one subkey for signing, and
>    leave your primary key for certification.
>    This lets you do tricks like keeping your primary key offline.
>    This is useful as the primary key is the most "valuable" key (since it can make more subkeys),
>Question # 1:  does primary key here mean "primary PUBLIC key"?
>Question # 2:  without the pass phrase, how can one make more subkeys?
>Question # 3:  what determines that a key is a "primary" key?
>                      (is it because --gen-key was used instead of --edit-key?)
>Question # 4:  by offline, do you mean not on a keyserver?
>                      (versus not on your local hard disk?)

Hi Gerry,

When someone is referring to a "key" they are typically referring to a "key pair" -- both public and private. Your primary key and various subkeys are all keypairs.

Public keys are used for encryption and verifying digital signatures.

Private keys are used for decryption, creating digital signatures, and for signing other keys.

A subkey (keypair) that is flagged for encryption will have both public and private components. 


More information about the Gnupg-users mailing list