[Gpg4win-users-en] Subkey generation: kleopatra vs. commandline

Werner Koch wk at gnupg.org
Wed Feb 12 08:36:39 CET 2014

On Tue, 11 Feb 2014 10:39, fabian.nick at scai.fraunhofer.de said:

> 1) What exactly are subkeys for?

They make key management easier.  The user needs to know only about the
primary key and the OpenPGP application takes care of using the right

best practice cryptography operational rules require that a certain key
is only used for one purpose (signing or encryption).  By using a
primary key for signing and a subkey for encryption, OpenPGP allows to
implement this.  X.509 has no such provision and to satisfy the rules
one need to create two entirely different keys and manage both.

You may also add other subkeys for other urpiuses.  For example an SSH
key or a key for Bitcoin (currently in development).  Still you can
identify all theses keys with just one fingerprint or user id.

> 3) How do I create a public key without a subkey from the command line?

  $ gpg --gen-key
  Please select what kind of key you want:
     (1) RSA and RSA (default)
     (2) DSA and Elgamal
     (3) DSA (sign only)
     (4) RSA (sign only)
     (7) DSA (set your own capabilities)
     (8) RSA (set your own capabilities)
  Your selection? 4
  RSA keys may be between 1024 and 4096 bits long.
  What keysize do you want? (2048) 

The primary key must be capable of signing, thus you do not see an
encrypt-only choice here.  To later add another subkey, you use "gpg
--edit-key" and then the command "addkey".



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gpg4win-users-en mailing list