Different signing & encryption keys
Peter Lebbing
peter at digitalbrains.com
Tue Aug 12 21:04:56 CEST 2014
On 12/08/14 19:50, Phillip Susi wrote:
> but these days just seem to use a single RSA key by default.
The default is an RSA-2048 primary key with certify[1] and sign abilities, and
an RSA-2048 subkey with encryption capability. I think you're mistaken.
> Is it still possible and/or beneficial to use two separate subkeys
> for signing and encrypting?
It's even recommended /not/ to use the /same/ key material for signing and
encryption. In other words, yes, it is definitely beneficial to use a separate
subkey for encryption.
Whether you want to split certification and data signatures is up to you. I
think the only benefit for splitting is that you can keep your
certification-capable key on an offline system and still issue signatures from
your online system[2]. Even if that's the only benefit, it's still quite a
benefit depending on your needs and wishes.
HTH,
Peter.
[1] /Every/ primary key has certify by necessity
[2] I can think of theoretical attacks under special circumstances and with bad
practices. I wouldn't worry about them.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list