GPG clarification

Robert ensamgud at
Tue Jul 6 15:09:49 CEST 2010

Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at work. We
have been given some requirements to comply with, spawning some general
questions. I tried searching in help files but haven't found answers to
everything so I'm trying here. If this questions are asked somewhere in
documentation, I would be glad to get a link there.

When I choose to generate a key, gpg --gen-key, I am asked what kind of key
I want. If I go with default (DSA and Elgamal) I get a message saying "DSA
keypair will have 1024 bits".

1) What does this mean? Is it some kind of 'key-encrypting' to secure the
actual keys? It is not involved in the actual encryption of data?

After this, I get to choose the size of the ELG-E key. I go with default of

2) Is this the actual 'data-encrypting' keys that will now be elgamal and
size of 2048 bits? If so, is it the same for both public and secret key?

Now, when I use the command to list my public keys, gpg --list-public-keys,
I see my key in the list. Top row lists: pub, 1024D/2D*****7.

3) This, as I guessed in question 1, is not the actual data-encrypting key
but more like a key-encrypting key?

The next row shows uid which should be user id, nothing strange there. Then
I get a row called 'sub'.

4) what does 'sub' mean? Is this the actual data encrypting key?

Now, if I choose to list my secret keys, gpg --list-secret-keys, I get the
exact same output but 'sec' is replaced with 'pub'. This should verify the
'key-encrypting-key' -thingy. But the rest of the output confuses me:

5) Is my secret and public key the same?? They both have the same id, it's
just 'sub' in one place and 'ssb' in the other.

6) What does 'ssb' mean?

I can see that the different commands use different files, 'pubring.gpg' and
'secring.gpg', still they seem to list the same key? Is the secret and
public key displayed as one in the key ring? If so, is it possible to
separate these somehow to put the private key in a safe for example?

My final question:

7) I assume the key rings themselves, holding the keys, are encrypted. How
strong is this encryption in GPG? What algorithm is used, etc? One
requirement is about compromising the machine with the keys, how easy it
would be to export the keys. Since the keyring is physically located on the

Thanks in advance,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100706/2f0e9cff/attachment.htm>

More information about the Gnupg-users mailing list