Identifying your private key by the public KeyID

David Shaw dshaw at
Tue Aug 6 16:44:03 CEST 2013

On Aug 6, 2013, at 9:22 AM, Kenneth Jones <kententen at> wrote:

> I'm referring to the information you see for example in the prompt to
> enter your private key when you have received an encrypted message in
> Thunderbird/Enigmail. The window "pinetry" prompts "Please enter the
> pass...2048-bit RSA key, ID DEADBEEF, created ... (main key ID
> ABCD0123)." Notice there are two key ID mentioned in the window, one
> called Main, which is also the public Key ID, (the one I expected, the
> one I remember) and the other for the secret key (which I have Never
> Paid any attention to).

Ah, that clarifies it.  Yes, as a few people have suggested, that's the subkey ID.  It's not inherently public or secret, but just another key attached to your primary key.  In OpenPGP, "your key" refers to a primary key, plus some number of subkeys (occasionally zero, but that's fairly rare).  The primary key is the one that the user IDs (email addresses, etc) are attached to, and the one that gathers signatures from other people if you get your key signed.

The subkey(s) are keys attached to the primary key, that can be used for encryption or signing.  The idea is that since it is difficult to change your primary key (you'd need to get it re-signed, and re-print your business cards, and the like) you should be able to change the subkey quickly and easily.  A common methodology (and in fact the default for many programs) is to use the primary key for signing, and a subkey for encryption.  There are interesting variations that can be used with this basic design: some people leave their primary key offline completely, only taking it out to make new subkeys.  Some people use different passphrases on different subkeys.

To answer your original question, though, traditionally the key-as-a-whole is referred to by its primary key ID and fingerprint.  The subkeys are effectively along for the ride. Some programs make a point of telling you which subkey is in use at a particular time.  Some do not.


More information about the Gnupg-users mailing list