[NOOB] Export subkey

Nicholas Cole nicholas.cole at gmail.com
Mon Aug 27 21:32:29 CEST 2012

On Monday, August 27, 2012, Arthur Rance wrote:

>  Hello,
> I'm a noob and I'm going to export a subkey :
> $ gpg --list-keys
> pub   2048R/12345678 2010-01-01
> uid                  Arthur Rance <arthur_rance at noob.com<javascript:_e({}, 'cvml', 'arthur_rance at noob.com');>
> >
> sub   2048R/90123456 2010-01-01
> sub   2048R/78901234 2012-08-27
> $ gpg --export --armor 78901234 > 78901234.txt
> $ gpg --export --armor 12345678 > 12345678.txt
> $ diff 78901234.txt 12345678.txt
> Why is there no difference between the subkey and my public key ?
> Maybe I misunderstood something...
--export exports your whole public key.  It probably doesn't make sense to
only export a public subkey -- public keys are supposed to be public  - and
various important bits of information are tied to the main key in any case.
 Your user id, for example, is stored on the main key.

Secret subkeys are another matter, and if you look at the man page you will
see there is a facility to export them.  You would want it if, for example,
you wanted to keep the main key on one computer and put only the secret
subkey parts on another.

But if you are new to gpg and just using it as an individual, my strong
advice unless you have very particular needs is to ignore the subkey
elements and treat them as part of the technical inner workings of the
maths side of Gpg  You almost certainly don't need to manipulate them for

I don't say this to be condescending.  One of the great strengths of
OpenPGP and of gpg is that they provide very a by flexible tool that can be
used in a huge number of situations.

Subkeys were introduced partly as a technical implementation detail: it is
bad security practice to use the same key for both signing and encrypting
(and with some algorithms impossible), so PGP needed a way to tie groups of
keys together and treat them as a single key.  They do, however, introduce
some benefits that can be useful in particular settings --- to occasionally
change encryption keys, for example.  The OpenPGP card can also be set up
to use only subkeys, which can be useful in preserving the web of trust if
a card is lost or damaged (though whether this is a good idea and worth the
complexity is going to vary from situation to situation).

I hope that helps.

Best wishes,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120827/b8790082/attachment.htm>

More information about the Gnupg-users mailing list