GPG clarification

Robert J. Hansen rjh at
Tue Jul 6 18:52:11 CEST 2010

On 7/6/10 9:09 AM, Robert wrote:
> Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at 
> work.

Please consider upgrading to 1.4.10.  There have been a lot of changes
since 1.4.5, including better support for DSA2 and quite a few minor

> If I go with default (DSA and Elgamal) I get a message saying "DSA 
> keypair will have 1024 bits".
> 1) What does this mean? Is it some kind of 'key-encrypting' to
> secure the actual keys? It is not involved in the actual encryption
> of data?

I don't mean to sound acerbic, but the contents are exactly what's
stamped on the tin.

DSA is the Digital Signature Algorithm -- a U.S. federal standard for
digital signatures.  Per the federal standard in existence when 1.4.5
was written, DSA keys were allowed to have either 512 or 1024 bits.

GnuPG is simply letting you know the DSA keypair you're creating will
have 1024 bits.

> 2) Is this the actual 'data-encrypting' keys that will now be
> elgamal and size of 2048 bits? If so, is it the same for both public
> and secret key?

More or less.  Getting into more detail will require mathematics and
talk about inverse functions and whatnot.  "More or less" is accurate
enough for most purposes.

> 3) This, as I guessed in question 1, is not the actual 
> data-encrypting key but more like a key-encrypting key?

No.  It's the ID of the key used for signing data.

> 4) what does 'sub' mean? Is this the actual data encrypting key?

It means "there is another set of cryptographic keys associated with
this signing key."  Without seeing the particular subkey I can't promise
that it's a set of encryption and decryption keys.  However, given what
you've said so far, I think it's likely.

> 5) Is my secret and public key the same?? They both have the same
> id, it's just 'sub' in one place and 'ssb' in the other.

They are intimately related, but not identical.

> 6) What does 'ssb' mean?

ssb is to sub as sec is to pub.

ssb = Secret Subkey.

> Is the secret and public key displayed as one in the key ring?


> If so, is it possible to separate these somehow to put the private 
> key in a safe for example?

Yes.  If you wish to do this, I'd suggest looking into a tool called

> 7) I assume the key rings themselves, holding the keys, are 
> encrypted. How strong is this encryption in GPG?

All algorithms used by GnuPG are considered safe against all known forms
of cryptanalysis.  And by "safe," I mean "really, anyone with half a
brain will find another way to get the information out of you, it'll be
so much easier that way."

More information about the Gnupg-users mailing list