Several master keys vs. master key ,and subkeys

Sin Trenton biggles.trenton at
Tue Jul 16 12:21:20 CEST 2013

On 2013-07-16 10:52, gnupg-users-request at wrote:
> Message: 2
 > Date: Tue, 16 Jul 2013 10:09:38 +0200
 > From: Werner Koch  <wk at>
 > To: Martin <martin.brochhaus at>
 > Cc: gnupg-users at
> Subject: Re: Several master keys vs. master key and subkeys
 > Message-ID: <87k3krj58d.fsf at>
> Content-Type: text/plain; charset=us-ascii
> On Tue, 16 Jul 2013 01:16, martin.brochhaus at said:
>> >This person claims that subkeys are not the best option because:
>> >Any reasons why I should stick to GPGs "native" subkey feature?
> Yes, because that is a core concept of OpenPGP.

Sorry if this is wordy, but I want to make sure I cover most details.. :)

I thought I had grasped the concept of all various key parts, but now 
I'm getting a bit unsure..

A GnuPG key has a private key and a public key. When you first create 
it, you get these two parts, and a different kind of "keys", a primary 
key (usage: SC), and a sub key for encryption (usage: E).
You can add and revoke sub keys, as much as you want, as well as UIDs, 
for when you change or add mail addresses, Jabber IDs, etc.
You can also make a version of your key where the primary key is deleted 
and you have two sub keys, one for encryption (usage: E) and one for 
signing (usage: S).

But so far, I've always thought that "changing password for a subkey" 
was changing the password for, say like in the second example above? You 
have a version B of your key, with a different password than version A 
(where the primary key is still present)? Not that one particular subkey 
per se has a different password?
If I were to create two different signing subkeys (usage:S), not sure 
why, but still, I could give them different passwords?
If you _can_ assign a separate, different password to a particular 
subkey, I assume it is done under --edit-key, but how?

Just for the record, I use GnuPG 1.4.13 on Windows XP and Linux Mint 14 
Nadia. I tend to use commandline 90% of the time, but for text snippets 
on my work PC, I also use Cryptophane. On my work PC I run it locally 
(local.bat with set GNUPGHOME=.) from inside a mounted TrueCrypt volume. 
Cryptophane is also set to 'no-config'.

I have four versions of my key (RSA):
1. "Main key", which is only stored offline, and which contains primary 
key and all past and present subkeys, including revoked ones. (None so 
far). This key has passphrase A.
2. The key I use, which is kept inside the TrueCrypt file mentioned 
above. It has my current subkeys for encryption and signing, but not the 
primary key. This key has passphrase B.
3. A travel key, basically GnuPG 1.4.13 and Cryptophane on a USB 
thumbdrive. It only has my public key.
4. Same as 3. on my work mobile, using Android and APG 0.8. Only public 
key present.

The reason for 3 and 4 is that I discovered that during the day, I more 
often want to _encrypt_ something to myself, a file or a short piece of 
text, in various situations. It can be before uploading a diary note or 
a customer file to Dropbox or pretty much just anything. Decryption 
happens later, when at my desk or in more secure environments, using key 
version 2.
This is also based on something that may have been acknowledged on this 
list more than once; That at the end of the day, you encrypt to yourself 
much more often than you do to other people, who can't be bothered with 
encryption anyway. ;)

Sin T

More information about the Gnupg-users mailing list