Why do we use a different key to sign than to encrypt

Jameson Rollins jrollins at finestructure.net
Tue Mar 1 20:12:15 CET 2011

On Tue, 1 Mar 2011 14:30:37 +0000, Guy Halford-Thompson <guy at cach.me> wrote:
> But doesnt GPG generate 2 private keys (as well as public keys) when
> you create a new keypair?
> Please select what kind of key you want:
>    (1) RSA and RSA (default)
>    (2) DSA and Elgamal
>    (3) DSA (sign only)
>    (4) RSA (sign only
> I can understand if you use DSA and Elgamal (DSA can only sign) but
> what about RSA and RSA?

Hi, Guy.  This prompt is definitely confusing, but yes, options (1) and
(2) create two key pairs, one primary key used for signing and
certifying, and a second subkey used for encryption.  Options (3) and
(4) only create a single primary key used for signing and certifying.

You can create an arbitrary number of subkeys if you'd like.  It's
common to create one for authentication, for instance.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20110301/f595611d/attachment.pgp>

More information about the Gnupg-users mailing list