4

As far as I know after reading several tutorials, it's reasonable to create one subkey for signing per each device I use, especially one that can be stolen, like laptop. However, having multiple encryption subkeys is cumbersome since the person sending a message to me must known which key to use to encrypt their message. Am I correct?

If so, what is the risk of having one's private encryption key stolen? Is it possible to decrypt messages even after the key is revoked? Can I just create new key with my master and send public key to my friends again? And - what is most important - is it possible to decrypt messages with master key or the lost subkey is the only one that can decrypt them?

Mike Poole
  • 225
  • 1
  • 2
  • 9
mDfRg
  • 137
  • 1
  • 6

1 Answers1

4

However, having multiple encryption subkeys is cumbersome since the person sending a message to me must known which key to use to encrypt their message. Am I correct?

Yes. There is not even a way to couple subkeys to user IDs or any kind of target devices.

Is it possible to decrypt messages even after the key is revoked?

Yes. Revocation does not "destroy" the private key in any, it just marks the public key as revoked.

Can I just create new key with my master and send public key to my friends again?

Given you revoked a subkey, the primary/master key stays valid. If you add a new subkey pair, this will have the same validity and trust the revoked subkeky pair had, as both are not assigned to the subkey, but the primary key instead.

On the other hand, revoking the primary key means your friends have to verify the key again, switching to a new primary key pretty much means "starting from scratch".

And - what is most important - is it possible to decrypt messages with master key or the lost subkey is the only one that can decrypt them?

You can only decrypt messages using the private key it was encrypted for. If a message was encrypted for a subkey, it can only be decrypted using that subkey, the primary key cannot be used for decryption. If it was encrypted for a primary key, you need the private primary key for decryption.

It would well be possible to encrypt for both keys, but encrypting to multiple (sub)keys of a primary key is not common usage of OpenPGP.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • Thank you @Jens. Still need some clarification: "If it was encrypted for a primary key, you need the private primary key for decryption." - I'm confused. I thought the encryption key is always the subkey, whereas the master (aka primary) key is used for signing and certification (it's what written in the table when you run `gpg --edit-key` pub usage: SC / sub usage: E. So if I revoke my first encryption key does it equals revoking the whole keyring with master/primary as well? PS. Master key is a synonym to primary key, right? – mDfRg Apr 01 '16 at 23:40
  • 1
    The official term in OpenPGP is primary key, the RFC doesn't know the term "master key". Primary keys can also have the encryption capability flag set (in GnuPG, using the `--expert` option during key generation, and only if the algorithm supports it, for example RSA). Revoking a subkey never automatically revokes the primary key, but the other way round. – Jens Erat Apr 02 '16 at 06:45