3

I have seen from different sources that the sole purpose of the master key should really be to generate the subkeys, and that it should be subsequently backed up to an offline location and deleted from the device on which it was generated. Why is that? I just don't get the rationale for having both master and subkeys since, ultimately, they're all associated with the same passphrase.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Tfovid
  • 131
  • 2
  • Stack Exchange has a "one topic per question" convention. I removed your additional questions to narrow-down the scope (it might have been closed as "too broad" otherwise); also asking for off-site resources/tutorials is considered off topic here. Better ask individual questions on each of the topics, but make sure to read up on each of them a little bit (each of them has some more or less duplicate questions already on this site), folks don't like answering the same question again and again. – Jens Erat Aug 25 '17 at 19:25
  • @JensErat Alright, thanks. Will take that into account next time. – Tfovid Aug 28 '17 at 15:23
  • It is good cryptographic principle to use keys only for one purpose, this way you can separate signing from decryption and certification. It also alllows to roll over decryption keys without the need of reevaluating the Web of tust. However this can also be done with main keys (and in fact most automated users of PGP seem to not care about subkeys) – eckes Nov 23 '17 at 22:13

1 Answers1

1

The primary key, and only the primary key is allowed to perform key management operations (adding and removing user IDs, subkeys, ...) and issue certifications on other keys. Storing the secret primary key offline provides additional security against misuse of those especially sensitive operations.

Furthermore, the primary key is target of incoming certifications from other keys. If you have to revoke a subkey because it got compromised (computer got hacked, issues like the DSA and random number generator bug Debian had), you roll over your subkey and everything's fine (at least, for messages encrypted/signed in future). All your contacts have to do is fetching the updated key from the keyservers running gpg --recv-keys <key-id>. If you have to revoke your primary key instead, you lose all certifications on that key: all trust in that key is lost, you will have to start over distributing your key and getting it signed.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • Thanks. I understand that the primary key has more of an "admin" function in that regard. But what I don't understand is that both primary and subkeys are ultimately tied to the same passphrase. The whole reasoning whereby a primary key can conveniently revoke a subkey if it ever gets compromised is therefore somewhat a "logical fallacy". If I lose a copy of my car key, my car isn't any safer from theft if I happen to have a "primary" key backed up somewhere... What part am I missing here? – Tfovid Aug 28 '17 at 15:29
  • The main idea is not to expose the primary secret key at all, thus keeping it offline (eg. in an additional copy of your keyring on a thumb drive, another computer, ...) when not needed. Even if an attacker gets hold of your subkeys _and_ your passphrase, he still has no access to the private key and you could just rollover subkeys (setting up a new passphrase might also be a good thing in this case). Your primary secret key was never affected and thus can stay unchanged. – Jens Erat Aug 28 '17 at 20:46