33

This is how my key is set up:

pub  4096R/AAAAAAAA  created: 2012-11-14  expires: 2013-11-14  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/BBBBBBBB  created: 2012-11-14  expires: 2013-11-14  usage: E   
[ultimate] (1). xxxx <xxxx@xxxx.com>

I know this is standard, to have the subkey handle decryption. Why is this though? How is this different from me just having a single key that does everything?

CaptSaltyJack
  • 477
  • 1
  • 4
  • 10

1 Answers1

47

There are three main reasons why you may want to have separate keys:

  1. Not all key types can be used for both encryption and signature. OpenPGP (the format that GnuPG implements) primarily supports RSA, ElGamal and DSA; ElGamal is encrypt-only, while DSA is sign-only. RSA can do both; however, there was a time when RSA was still patented, and since that time some PGP implementations have taken the habit of defaulting to ElGamal+DSA, hence necessarily two key pairs.

  2. Encryption keys should be escrowed (i.e. have backup somewhere), while signature keys should not. See this answer for a discussion on this subject. Since a given key cannot be both escrowed and not escrowed, you should need two keys.

  3. Ideally, you should have a single master key, that you keep in a specially well protected keyring, and subkeys for daily tasks. The master key is supposed to be your "root" key with no expiry date; it is large and bulky and possibly inefficient, but you don't use it often. The subkeys may be shorter (thus more efficient) because you define them to have a short lifetime (e.g. one or two years): you don't have to make them fat enough to survive advances in technology one or two decades from now. The master key doubles as "revocation key" in case one of your subkeys gets stolen.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 5
    Not backing up signatures has subtle side effects. If you lose the signing key, you will need to bootstrap the trust-chain from either face-to-face contact or a "root signature" that is backed up somewhere. In practice if you don't want to include NSA sock-puppets (sorry, I mean "Root CAs") in your trust chain you might need to backup in a bank vault or sub-dermal microchip a longer term root-signing key for signing the short-term signing keys. – LateralFractal Oct 10 '13 at 00:35
  • 4
    Ok Thomas, bear with me as I'm having trouble grasping this. I have a single secret key that contains a master key and a subkey for encryption. Do I need to do anything further at this point or am I good to go? If I need to offload my encryption subkey to a different location, how do I do that? An additional question: when I export my public key for others to use, it exports the same text no matter what subkey I choose to export. Is it just exporting what others would need to encrypt content for me? – CaptSaltyJack Oct 10 '13 at 15:11
  • checkout https://wiki.debian.org/Subkeys for stepbystep to get a full setup with local subkeys derived from backupd 'master'key – qrtLs Mar 07 '20 at 13:53