The best practice of master/sub key capabilities

Peter Lebbing peter at
Sun Aug 30 11:24:00 CEST 2015

On 22/08/15 17:25, Dongsheng Song wrote:
> Now I want to create my new key like this:
> sec   rsa4096/93D374EB 2015-08-22 [C]
> uid         [ultimate] example <example at>
> ssb   rsa2048/466D08E1 2015-08-22 [S]
> ssb   rsa2048/AD92E667 2015-08-22 [E]
> ssb   rsa2048/07DEFA25 2015-08-22 [A]
> ssb   ed25519/AE83BE7C 2015-08-22 [S]
> ssb   cv25519/0FACE148 2015-08-22 [E]
> ssb   ed25519/610E5096 2015-08-22 [A]

Sorry I forgot to answer earlier. This seems a reasonable setup. If this
makes you feel happy, go for it :). I still think RSA-4096 is a bit
much, though. People who have your public key and use an underpowered
system will see that building the trust database can take significantly
longer in checking your certifications.

I don't know when GnuPG checks subkey bindings, but that takes
significantly longer as well. Subkey bindings verify the correspondence
between a primary key and a subkey, and are part of your public key.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list