Key generation, subkeys and improved documentation

Sandeep Murthy s.murthy at
Mon Jan 5 16:54:45 CET 2015


I have a couple of questions about key generation, subkeys and the documentation

(FYI I have GnuPG/MacGPG (v. 2.0.26) on my Mac.)

1. I just tried to generate an RSA keypair using `gpg` on the command line, and it
asks me to choose a key length between 1024 and 8192.  Here is the relevant output
from my terminal session:

    RSA keys may be between 1024 and 8192 bits long.
    What keysize do you want? (2048) 8192
    Requested keysize is 8192 bits

I thought the maximum was 4096?  For example, GPGKeychain (the GUI keychain
utility from the GPGTools suite which installs the GnuPG/MacGPG) doesnt’t allow
key sizes bigger than 4096.  In any case, choosing 8192 fails with `gpg`:

    gpg: keysize invalid; using 4096 bits

Shouldn’t this be changed to ensure that 4096 is the limit, or is it possible to have
an 8192 length RSA key or this limited by the current capabilities of the random
number generator?

2. The key generation dialogue for v. 2.0.26 (started by `gpg —gen-key`) shows
the following list of options for keys:

    Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

As a user this is confusing to see, for example, RSA and RSA - of course I worked
out afterwards that this was going to generate two keypairs one for signatures (S),
the other for encryption (E), but at the moment it’s just confusing, even if have to
generate new keys again.  There is also no explanation that the public key itself is
a pair of keys, one which actually makes the signatures using the private key, and
the other (subkey) which others use to encrypt messages to you.

Also these subway codes S, E, and also C, A are not explained at all - I had to
lookup the source code (‘keyedit.c` in the `/g10/ subfolder of the source folder) to
guess at what they mean.

For example, here is the information provided by `gpg` for my public key:

pub  4096R/9EAB92B4  created: 2014-12-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  2048R/238026C5  created: 2014-12-30  expires: 2022-12-28  usage: S
sub  2048R/66C9185A  created: 2014-12-30  expires: 2022-12-28  usage: E
[ultimate] (1). <sandeepmurthy at>

There should be an explanation surely of what S C E A mean: S (signatures),
E (encryption), C (creating a certificate) and A (authentication?).

3. At the moment the documentation on - both the manuals and the
privacy handbook - are out of date for v. 2.x+), e.g. the privacy handbook showing the possible keypair
choices as

   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)

which is obviously different from what the current one version allows.  Perhaps
there should be a much better explanation of subways and the codes S, C, E, A,
because I don’t think it’s there right now.  Since the handbook is aimed at first
time users it seems these updates should be (and could be) made very quickly.

I use GnuPG but I would also like to contribute.  Would it be possible to clone
the repo and make a pull request or something like that?

Sandeep Murthy
s.murthy at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150105/4248a543/attachment.sig>

More information about the Gnupg-users mailing list