GPG clarification

Joke de Buhr joke at
Tue Jul 6 17:47:49 CEST 2010

The wikipedia has a very could article with lots of information on public-key 
cryptography. It covers a lot of your questions regarding public keys and 
private keys.

On Tuesday 06 July 2010 15:09:49 Robert wrote:
> Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at work.
> We have been given some requirements to comply with, spawning some general
> questions. I tried searching in help files but haven't found answers to
> everything so I'm trying here. If this questions are asked somewhere in
> documentation, I would be glad to get a link there.
> When I choose to generate a key, gpg --gen-key, I am asked what kind of key
> I want. If I go with default (DSA and Elgamal) I get a message saying "DSA
> keypair will have 1024 bits".
> 1) What does this mean? Is it some kind of 'key-encrypting' to secure the
> actual keys? It is not involved in the actual encryption of data?
> After this, I get to choose the size of the ELG-E key. I go with default of
> 2048.
> 2) Is this the actual 'data-encrypting' keys that will now be elgamal and
> size of 2048 bits? If so, is it the same for both public and secret key?
> Now, when I use the command to list my public keys, gpg --list-public-keys,
> I see my key in the list. Top row lists: pub, 1024D/2D*****7.
> 3) This, as I guessed in question 1, is not the actual data-encrypting key
> but more like a key-encrypting key?
> The next row shows uid which should be user id, nothing strange there. Then
> I get a row called 'sub'.
> 4) what does 'sub' mean? Is this the actual data encrypting key?
> Now, if I choose to list my secret keys, gpg --list-secret-keys, I get the
> exact same output but 'sec' is replaced with 'pub'. This should verify the
> 'key-encrypting-key' -thingy. But the rest of the output confuses me:
> 5) Is my secret and public key the same?? They both have the same id, it's
> just 'sub' in one place and 'ssb' in the other.
> 6) What does 'ssb' mean?
> I can see that the different commands use different files, 'pubring.gpg'
> and 'secring.gpg', still they seem to list the same key? Is the secret and
> public key displayed as one in the key ring? If so, is it possible to
> separate these somehow to put the private key in a safe for example?
> My final question:
> 7) I assume the key rings themselves, holding the keys, are encrypted. How
> strong is this encryption in GPG? What algorithm is used, etc? One
> requirement is about compromising the machine with the keys, how easy it
> would be to export the keys. Since the keyring is physically located on the
> machine.
> Thanks in advance,
> Regards,
> Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 706 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100706/49aca8e4/attachment.pgp>

More information about the Gnupg-users mailing list