Identifying your private key by the public KeyID

Kenneth Jones kententen at
Wed Aug 7 02:13:52 CEST 2013

On 2013-08-06 22:44, David Shaw wrote:
> On Aug 6, 2013, at 9:22 AM, Kenneth Jones <kententen at> wrote:
>> I'm referring to the information you see for example in the prompt to
>> enter your private key when you have received an encrypted message in
>> Thunderbird/Enigmail. The window "pinetry" prompts "Please enter the
>> pass...2048-bit RSA key, ID DEADBEEF, created ... (main key ID
>> ABCD0123)." Notice there are two key ID mentioned in the window, one
>> called Main, which is also the public Key ID, (the one I expected, the
>> one I remember) and the other for the secret key (which I have Never
>> Paid any attention to).
> Ah, that clarifies it.  Yes, as a few people have suggested, that's the subkey ID.  It's not inherently public or secret, but just another key attached to your primary key.  In OpenPGP, "your key" refers to a primary key, plus some number of subkeys (occasionally zero, but that's fairly rare).  The primary key is the one that the user IDs (email addresses, etc) are attached to, and the one that gathers signatures from other people if you get your key signed.
> The subkey(s) are keys attached to the primary key, that can be used for encryption or signing.  The idea is that since it is difficult to change your primary key (you'd need to get it re-signed, and re-print your business cards, and the like) you should be able to change the subkey quickly and easily.  A common methodology (and in fact the default for many programs) is to use the primary key for signing, and a subkey for encryption.  There are interesting variations that can be used with this basic design: some people leave their primary key offline completely, only taking it out to make new subkeys.  Some people use different passphrases on different subkeys.
> To answer your original question, though, traditionally the key-as-a-whole is referred to by its primary key ID and fingerprint.  The subkeys are effectively along for the ride. Some programs make a point of telling you which subkey is in use at a particular time.  Some do not.
> David
Thank you, David, for your reply. And thanks to all others who also
helped, and those who patiently waited for me while the light dawned.
It's apparent that I have a lot of catching up, I'll go do some reading.
I'm fascinated, for example that a key pair has more than two parts. I
have many questions, but I've taken enough of your time. FWIW, Steve
Gibson, the SpinRite guy if you know of it, is beginning a series on
mail privacy on his internet TV program at TWiT dot TV. Might be good to
have you guys 'audit the course' so to speak,  in case he goes far afield.
Thanks again for your help.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130807/9eaa0e6e/attachment.sig>

More information about the Gnupg-users mailing list