6

Through output of gpg -k und gpg -K it seems that I always have (as well as create) (sub)keypairs. But, if the purpose of the pub and sub is as it is shown below and the purpose of the secretkey is mainly decryption, what's the purpose of the secret-subkeys? (I got the usage from gpg --edit-key key-id)

$ gpg --list-keys ... && gpg --list-secret-keys ...
pub   4096R/615399D8 2015-11-06 [expires: 2016-02-04] --> usage: SC
uid                  ...
sub   4096R/B30A78EB 2015-11-06 [expires: 2016-02-04] --> usage: E
sub   4096R/BBE36ACB 2015-12-13 [expires: 2016-02-04] --> usage: S
sub   4096R/B53C8F6D 2015-12-13 [expires: 2016-02-04] --> usage: A

sec   4096R/615399D8 2015-11-06 [expires: 2016-02-04]
uid                  ...
ssb   4096R/B30A78EB 2015-11-06 [expires: 2016-02-04]
ssb   4096R/BBE36ACB 2015-12-13 [expires: 2016-02-04]
ssb   4096R/B53C8F6D 2015-12-13 [expires: 2016-02-04]
prankenandi
  • 373
  • 3
  • 6

1 Answers1

3

For some algorithms, subkeys are a technical necessity: for example DSA (the digital signing algorithm) can only be used for signing, and requires an additional encryption subkey (for example Elgamal). This is not true for RSA, which can be used for both signature and encryption.

Distinguishing between a primary key and subkeys has another reason: It allows to keep the (private) primary key as little exposed as required, only using it for key management operations like adding and revoking subkeys and user IDs, and certifying other's keys (this is the C capability printed in the output you provided).

By using subkeys, you could even make use of an offline primary key, which means you remove the private primary key from your default keyring, and keep it safely disconnect except for the rare circumstances you actually need it. Some people have it on thumb drives, others even use an old computer dedicated for this purpose.

Even if you don't do this: using the key might make it vulnerable to certain attacks. For example, DSA is vulnerable when used to sign reusing parameters. If you used a DSA key often (for example, for signing all your mail), you're much more likely to be catched by this issue and revealing your private primary key than if you only use it rarely for key management. Your private subkey would still be revealed -- but you can easily revoke it and create a new one, without losing your reputation in the OpenPGP web of trust, like you would when revoking your primary key. Another advantage is you might use different signing subkeys on different machines (and if one machine is hacked, you don't have to change all of them). This doesn't work out that well for encryption keys, though.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • `Distinguishing between a primary key and subkeys has another reason: It allows to keep the (private) primary key as little exposed as required, only using it for key management operations` I do understand this. But the capabilities (_E, S, A_) are listed behind the subkeys (_sub_) of the public key (_pub_). So for what do I need the subkeys (_ssb_) of the secret key (_sec_)? They have the same key-id as the corresponding public-subkey (_sub_), but no information about the usage. – prankenandi Jan 29 '16 at 16:07
  • Keys for public/private key (asymmetric) cryptography always occur in pairs. You could have different sets of private keys on different machiens, others would only have your public keys. I don't see the reason why the usage is omitted from the secret keys list, but those lists _can_ differ, thus you can query it separately. Keys named `sec` are secret primary keys, keys named `ssb` are secret subkeys (from "Secret SuBkeys"). – Jens Erat Jan 29 '16 at 16:16