Why do we use a different key to sign than to encrypt

David Shaw dshaw at jabberwocky.com
Tue Mar 1 15:34:18 CET 2011

On Mar 1, 2011, at 8:13 AM, Guy Halford-Thompson wrote:

> Not GPG specific, but I was wondering if someone could point me in the
> direction of some resources that explain why we use different keys to
> sign and encrypt (for cases where the same key _could_ do both e.g.
> RSA).  I cant seem to pick anything up on google.

There is no one reason, but a few reasons that, taken together, makes this useful.

One reason is that it enables the use of sign-only or encryption-only algorithms, which if one key had to do it all, would not be usable.   Another reason is that it helps prevent a complete compromise - if only a subkey is compromised, the whole key is not compromised.  It allows for the best-algorithm-for-the-job decision to be made (for example, many people like signing with DSA because the signatures are physically smaller and thus not so obvious in email). It allows easier key changes without changing the main "identity" key by expiring or revoking just a subkey and making a new one.  And so on.  Some of these reasons overlap as well.

OpenPGP supports both the single-key and multiple-key models, so you're not forced to do it one way or the other.  The default in GnuPG is multiple key.


More information about the Gnupg-users mailing list