3

I've always used OpenPGP as a single private/public pair of keys for (S)igning and (E)ncryption.

But learning about OpenPGP subkeys, it's recommended to use separate keys for (C)ertification, (S)igning and (E)ncryption. As I understood, the certification key is only used to create new subkeys. So what is the best way to use master key and subkeys? Why can't I use master key for (C),(S),(E), and why it's recommended to use separate keys for (S) and (E)?

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
0928e8f6
  • 133
  • 2

2 Answers2

2

One of the most secure and practical way to organize PGP keys is to use Subkey with offline Master Key.

In essence, with subkeys you can store your Master/(C)ertification key in an encrypted, trusted offline storage; and your day to day workstation only have the (S)igning and (E)ncryption key. You would only take out your (C) key when you need to sign or revoke your own or someone else's key, which usually happens much less often than regular signing and encrypting.

The reason why it's recommended to use separate (S) and (E) key is because many people uses multiple devices, and you can only have one (E) key in all your devices if you want to be able to read all your encrypted data from any one of your devices, but you can use multiple (S) key, one for each of your device, and all of your devices can still verify signatures because there is a trust chain to your master key.

Also, you can put shorter expirations on your subkeys. Master key is effectively non-expirable as you can always extend the expiry of a master key.

Note that newer version of GPG creates subkeys by default.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93
  • So master (C) key can't encrypt, decrypt, sign. It can only create new subkeys and revoke keys? If i loose (E) key, i will loose all encrypted info and won't be able to decrypt it with master (C) key, but will be able to create new (E) key only with (C) key? If i loose (C) key, i will not be able to create new subkeys and revoke (E) and (S) keys, but will be able to encrypt, decrypt info until key expires? Is that right? – 0928e8f6 Feb 06 '16 at 08:49
  • And one more question. So newer version of GPG creates 5 keys: private C,E and S keys and E and S public keys? – 0928e8f6 Feb 06 '16 at 08:52
  • Tested on my machine just now, gpg2 --gen-key creates two keys: master key pair with SC and a subkey pair with E. – Lie Ryan Feb 06 '16 at 09:21
  • @gikel3888: as to your first comment, I believe you are correct, yes. Note that you can still decrypt data using an expired (E) key; the expiry is for other people, they are not supposed to encrypt to you using expired (E) key, as that is considered insecure. Note that this means that if you want to be able to read old data, you must never delete expired (E) private key even if you create and publish a new (E) private key. – Lie Ryan Feb 06 '16 at 09:27
  • Thank you. Master key pair with SC goes with private and public keys, as i understand. Then i can't understand, what is the purpose of public C and S keys? When public E key is for encryption, and private E for decryption, but C and S keys must be only private, no? With C i only create and revoke other keys, so there is no need of public C key and with S i sign, why do i need public for S? – 0928e8f6 Feb 06 '16 at 10:19
  • @gikel3888: other people need your S and C public key to verify signatures and keys that you have signed with them. The Master's public key is a trust anchor, it cannot be directly used to verify the signatures made by its subkey. Signatures made by a subkey can only be verified with the subkey's public key; but the subkey's public key will only be trusted if it is signed by the C key from your Master Key, which is the trust anchor. – Lie Ryan Feb 06 '16 at 10:25
0

Generally, all OpenPGP primary keys have the certification capability C. You cannot have one without it, it is required to certify (sign) other's key, perform key management operation like creating and revoking subkeys and user IDs.

Revoking the primary key means you have to exchange keys again with your communication partners, lose all the reputation in the web of trust, ... It is recommended not using the primary key for any "day to day" tasks like encryption E, signing S and authentication A. Adding a pair of subkeys is cheap and easy, it just takes some seconds and storage requirements and negligible.

You rarely need to use the certification capability functions, that's why some people move those keys to an offline location: a thumb drive, another (old) computer dedicated for this purpose, OpenPGP smartcards.

To wrap up the recommended key setup is something like

  • primary key, capability C (you might want to keep it offline)
    • encryption subkey, capablity E
    • signing subkey, capability S (some people use additional signing subkeys for different computers)
    • authentication subkey, capability A (but probably you'll not need and use it)

(with of course each of those forming a public/private key pair).

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • That means primary keys, are with C,E and S capabilities and without expire date and kept offline, and subkeys with E and S capabilities have expire dates and are for daily use? – 0928e8f6 Feb 06 '16 at 09:09
  • 1
    You can have a primary key _without_ encryption and signature capability, indicating it won't be used for these purposes. I'd at least recommend removing the encryption capability, otherwise some weird and broken OpenPGP implementation will come up encrypting for the offline primary key. Considering key expiration, I'll simply refer to another question where this topic is already discussed: http://security.stackexchange.com/q/14718/19837 – Jens Erat Feb 06 '16 at 09:25