What does the "sub" entry of a key mean?

David Shaw dshaw at jabberwocky.com
Sat Jan 15 18:27:58 CET 2011

On Jan 15, 2011, at 11:13 AM, Bo Berglund wrote:

> I am building an application for GPG encryption, which ultimately will
> be integrated into the Win7X64 Explorer context menu.
> I have used the command line command "gpg2 -k" to retrieve a ley list
> for the current key ring. Works fine. Now it is time for parsing and I
> have a few questions:
> The output from the command looks like this (shortened):
> C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg
> ------------------------------------------------------------------
> pub   1024D/C50DAFF8 2006-08-19
> uid                  Bo Berglund <bo.berglund at gmail.com>
> sub   2048g/011AD792 2006-08-19
> pub   1024D/41C6E930 2003-04-10
> uid                  Richard Jones <richard at commonground.com.au>
> uid                  Richard Jones <richard at mechanicalcat.net>
> uid                  Richard Jones <richardjones at optushome.com.au>
> sub   1024g/40AD97DF 2003-04-10
> Now, I understand most of this but I would like to know the
> significance of these items:
> 1) In the pub line the first item is a number + a letter. I assume
> that the number is the bit length of the key, but what does the letter
> mean? And which are the possible letters?

Yes, the number is the bit length of the key.  The letters are:

RSA       == R
DSA       == D
Elgamal == g (only seen in subkeys)

Historically there was a "G" for an Elgamal key that could both encrypt and sign, but that was dropped from OpenPGP.  The current lowercase "g" Elgamal is an encrypt-only key.

> 2) What does the last line of each key mean, which starts with sub?
> Notice that there is a different hex code and different letter
> following the key length...

Sub is for subkeys.  They are other keys that go along with the main, or primary, key.  A common usage pattern is for the primary to be used for signing, and the subkey used to encryption.

> 3) Some keys have several uid lines, is there a maximum or minimum
> number here? It looks like a number of email addresses attached to the
> key, is this correct?

There is a minimum of 1.  There is no maximum.  There are also "uat" lines, of which there are zero or more.  A uat is used to store other things aside from text (for example, photo IDs).

> 4) I only have one public keyring, but I assume that it is possible to
> have several? If so will the -k command list these after each other?
> The first output line seems to be the actual keyring location.

It is possible to have several.

I note that you are trying to parse the output, though.  That is a bad idea, as the format is intended for human consumption, and not machine parsing.  The machine format is stable, and the human format is subject to change.  Use the --with-colons option to enable machine parsing.


More information about the Gnupg-users mailing list