What does the "sub" entry of a key mean?

Bo Berglund bo.berglund at gmail.com
Sat Jan 15 19:17:27 CET 2011

On Sat, 15 Jan 2011 12:27:58 -0500, David Shaw <dshaw at jabberwocky.com>

>On Jan 15, 2011, at 11:13 AM, Bo Berglund wrote:
>> I am building an application for GPG encryption, which ultimately will
>> be integrated into the Win7X64 Explorer context menu.
>> I have used the command line command "gpg2 -k" to retrieve a ley list
>> for the current key ring. Works fine. Now it is time for parsing and I
>> have a few questions:
>> The output from the command looks like this (shortened):
>> C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg
>> ------------------------------------------------------------------
>> pub   1024D/C50DAFF8 2006-08-19
>> uid                  Bo Berglund <bo.berglund at gmail.com>
>> sub   2048g/011AD792 2006-08-19
>> pub   1024D/41C6E930 2003-04-10
>> uid                  Richard Jones <richard at commonground.com.au>
>> uid                  Richard Jones <richard at mechanicalcat.net>
>> uid                  Richard Jones <richardjones at optushome.com.au>
>> sub   1024g/40AD97DF 2003-04-10
>> Now, I understand most of this but I would like to know the
>> significance of these items:
>> 1) In the pub line the first item is a number + a letter. I assume
>> that the number is the bit length of the key, but what does the letter
>> mean? And which are the possible letters?
>Yes, the number is the bit length of the key.  The letters are:
>RSA       == R
>DSA       == D
>Elgamal == g (only seen in subkeys)
>Historically there was a "G" for an Elgamal key that could both encrypt and sign, but that was dropped from OpenPGP.  The current lowercase "g" Elgamal is an encrypt-only key.
>> 2) What does the last line of each key mean, which starts with sub?
>> Notice that there is a different hex code and different letter
>> following the key length...
>Sub is for subkeys.  They are other keys that go along with the main, or primary, key.  A common usage pattern is for the primary to be used for signing, and the subkey used to encryption.
>> 3) Some keys have several uid lines, is there a maximum or minimum
>> number here? It looks like a number of email addresses attached to the
>> key, is this correct?
>There is a minimum of 1.  There is no maximum.  There are also "uat" lines, of which there are zero or more.  A uat is used to store other things aside from text (for example, photo IDs).
>> 4) I only have one public keyring, but I assume that it is possible to
>> have several? If so will the -k command list these after each other?
>> The first output line seems to be the actual keyring location.
>It is possible to have several.
>I note that you are trying to parse the output, though.  That is a bad idea, as the format is intended for human consumption, and not machine parsing.  The machine format is stable, and the human format is subject to change.  Use the --with-colons option to enable machine parsing.

THanks, indeed the --with-colons gave a completely different output...
I was just about to ask of the date format (if it changes between
operating systems or such) but now I have a different problem in
understanding the machine readable format.

Very hard to understand. Is there a parsing guide somewhere?

Bo Berglund
Developer in Sweden

More information about the Gnupg-users mailing list