Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are GnuPG subkeys to be sent to the keyserver instead of the master key?

Tags:

gnupg

openpgp

pgp

Ok, so I've generated my PGP keys using GnuPG and sent the key to the keyservers.
But then I found that GnuPG generates a pair of keys, one main and one subkey as I understand it.
Did I make an error by uploading my main key to the keyserver using the id (some letters/numbers) of the main key? I am a bit lost in what subkeys do and how to use them.

Thanks

like image 787
Matt Avatar asked Aug 19 '14 09:08

Matt


People also ask

What are subkeys and how do they make key management easier?

Subkeys make key management easier.You can keep your identity tied to your master key that you keep locked away in a vault at the bottom of a dungeon that has guard dogs and armed guards. Use subkeys that expire for day-to-day things such as encrypting files, digitally signing emails or code.

Where does GPG store public keys?

All GPG keys are stored in the "keyring", which is at ~/. gnupg or %AppData%/gnupg . Running gpg --version will show the path being used.

How does GPG key work?

It works by using a public-key cipher to share a key for the symmetric cipher. The actual message being sent is then encrypted using the key and sent to the recipient. Since symmetric key sharing is secure, the symmetric key used is different for each message sent. Hence it is sometimes called a session key.


1 Answers

Generally, it is recommended to use subkeys instead of the primary key for daily use (signing and encrypting mails and files, ...). The primary key is usually only used to manage your subkeys and certify other people's keys. The advantage is that you can easily revoke and exchange your subkeys without your reputation in the OpenPGP web of trust getting lost (all incoming certifications point to the user IDs, which are connected to the primary key, not the subkeys).

For this reason, whenever you export/share a subkey (without any special options set), the primary key is included; if not, both incoming certifications and the connection to your user IDs (ie. mail addresses) would be missing.

On the other hand, if you export your primary key using gpg --export [keyid] or upload it using gpg --send-key [keyid], by default also subkeys, user IDs and incoming certifications are included.

You can easily verify the primary key being included by running

gpg --list-packets [filename]

which will print a (possible very long) list of all OpenPGP packets contained in the files, ie. primary and subkeys, but also user IDs and incoming certifications.

like image 75
Jens Erat Avatar answered Nov 13 '22 17:11

Jens Erat