27

I am a little confused (as many others) about the concept of subkeys as related to the primary key. gpg by default (at least it seems on my system --- using RSA), upon gpg --gen-key creates a masterkey and a subkey. The masterkey has flags SC that it could be used for signing and certification. It also creates one subkey with flag E, used for encryption. Are the following statements correct?

  • If I understand the whole concept both the masterkey and the subkey are key pairs, that is a pair of private-public keys.
  • the fact that one is only for encryption is because some algorithms have such requirement (need separate keys for encryption and signature)
  • The subkey with E flag: its public part can be used to encrypt information and its private part to decrypt the information that was encrypted with the public part.
  • The masterkey with SC flag: its private part is used to sign/certify and its public part is used to verify the validity of the signature.

The more confusing part is when I follow the advice to create further subkeys, one for signature, one for encryption. Let's just call the original encryption subkey ESK0 and the new encryption subkey ESK1, and the new signing subkey SSK1 and the masterkey MK.

After creating ESK1 and SSK1 I should have in total 4 public/private key pairs, correct? Then, following the guides, I remove the MK to an offline medium and remove it from my computer, thus I now have in my comoputer:

  • A public/private pair ESK0 (original encryption)
  • A public/private pair ESK1 (new encryption)
  • A public/private pair SSK1 (new signature)
  • A public key for MK

I then change password using gpg --edit-key $id passwd. According to some guides it should change the password to the subkeys, but I am not so sure about that, I think that this just changes password to the whole structure bounded to MK it is just that the structure with private MK stored offline has still the old password. Which is correct?

Now, if I sign something, which is the signing key? I believe it has to be SSK1 since MK is no longer available. Correct?

I then upload some public key to a key server using gpg --send-key $id. Which public key/keys have I uploaded?

If someone will use the information from the key server to send me some encrypted information, which public key will be use for the encryption - ESK0 or ESK1? I am worried it would be ESK0 since then the whole point of having subkeys would be completely pointless as for decryption I would still be using ESK0.

Also, why is it that the guides suggest removal of MK but the ESK0 still is supposed to stay on the system? What is the purpose of ESK1 then?

Thank you for any help.

atapaka
  • 431
  • 1
  • 4
  • 6

1 Answers1

23

If you already have an SC and E keys, and you want to remove your C ("master") key to offline storage, then all you require is a new S key (SSK1 in your example). You do not need to create a new encryption subkey -- your existing one is just fine for this purpose.

I then change password using gpg --edit-key $id passwd. According to some guides it should change the password to the subkeys, but I am not so sure about that, I think that this just changes password to the whole structure bounded to MK it is just that the structure with private MK stored offline has still the old password. Which is correct?

You will change the passphrase on any locally stored subkeys, so it's a perfectly valid thing to do. The offline master key's passphrase will not change. The passphrase is what GnuPG uses to symmetrically encrypt your private keys before storing them on disk (to make sure they are not easily stolen via malware or poorly secured backups).

Now, if I sign something, which is the signing key? I believe it has to be SSK1 since MK is no longer available. Correct?

By default, GnuPG will use the most recently created S key, so SSK1 will be always used in your case -- which is what you want.

I then upload some public key to a key server using gpg --send-key $id. Which public key/keys have I uploaded?

You upload all public key data, including any new subkeys or identities.

If someone will use the information from the key server to send me some encrypted information, which public key will be use for the encryption - ESK0 or ESK1? I am worried it would be ESK0 since then the whole point of having subkeys would be completely pointless as for decryption I would still be using ESK0.

Having multiple valid encryption subkeys is a recipe for something like this happening, so I strongly recommend you do NOT create a new encryption subkey. As I said, you do not need a new encryption subkey if you already have one.

Also, why is it that the guides suggest removal of MK but the ESK0 still is supposed to stay on the system? What is the purpose of ESK1 then?

The "Master key" is your "C" key (certify). It is the key used to sign other people's keys and your own subkeys and identities. If any of your E or S subkeys are lost or you're worried they got exposed to malware, you can simply revoke them and create new ones as long as you trust the integrity of your C key. This is why it is recommended that your C key ("master key") is carefully safeguarded and stored offline.

At the end, your goal is to have the following structure:

  • existing [SC] key -- stored offline, removed from local disk
  • existing [E] key -- kept on disk
  • new [S] key -- kept on disk

Final note -- by default, GnuPG creates your Master key as [SC], but it doesn't have to. You can specifically tell GnuPG to create a standalone [C] key.

mricon
  • 6,298
  • 23
  • 27
  • 3
    Not to mention Yet Another Guide, but I go into many of these considerations in this document I wrote: https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md – mricon May 29 '18 at 14:11
  • 2
    _"By default, GnuPG creates your Master key as [SC], but it doesn't have to."_ I was just wondering if I could remove the `[S]` capability from my master key. Why GnuPG applies `[S]` capability if it not needed? – Morgan Courbet Aug 20 '18 at 13:12
  • @morgan-courbet By default, the master key has both `S` and `C` capabilities and a single `E` subkey is created. The `S` is needed so you can **Sign** documents and messages. However it is just not convenient for those who plan to have an offline master key (but that is not considered the norm). I don't know if it is possible to remove the `S` capability from the master key, but would like to know myself. – Jonathan Cross Oct 21 '18 at 21:11
  • 1
    @JonathanCross I think I've tried just after I posted the comment and if my memory is right, you can only apply capabilities at creation time. Just try to create a key; `gpg` asks for the capabilities at this moment. That means, no, it doesn't seem to have a way to change the capabilities of a key after it has been created. – Morgan Courbet Oct 21 '18 at 21:19
  • 4
    @JonathanCross @MorganCourbet You can use `--edit-key` to get to the `gpg>` prompt, and then use the hidden command `change-usage` to change the capabilities that a key or subkey has. [See here.](/a/206766/224534) – Jivan Pal Jun 14 '20 at 22:29
  • What I'm confused with is the following: when you revoke a compromised subkey and create a new subkey, the public part of the new subkey will nevertheless be updated on the keyserver, i.e. it needs to be re-distributed. Why is this viewed as simpler/ less hustle compared to generating a whole new PGP key set altogether? I sense there's probably something I'm missing... – Boson Bear Feb 08 '22 at 11:30
  • Oh is it simply that one doesn't need to go through the "initial" pubkey distribution process again, or to re-gain trust, etc. because essentially your identity is associated with the primary key? I think I'm getting it after reading more of the PGP trust model, but please correct me if I'm wrong. – Boson Bear Feb 08 '22 at 11:37