[Gpg4win-users-en] Subkey generation: kleopatra vs. commandline

Fabian Nick fabian.nick at scai.fraunhofer.de
Wed Feb 12 09:50:23 CET 2014

Thanks Werner,

does that mean that the keypair created with kleopatra (which has no subkey) can (or should?!) only be used for signing?
I'm asking because a friend of mine (who actually brought up this question) has send me his public key which contains no subkey and he was a bit confused since my public key I sent him does have a subkey.


----- Original Message -----
> From: "Werner Koch" <wk at gnupg.org>
> To: "Fabian Nick" <fabian.nick at scai.fraunhofer.de>
> Cc: gpg4win-users-en at wald.intevation.org
> Sent: Wednesday, 12 February, 2014 8:36:39 AM
> Subject: Re: [Gpg4win-users-en] Subkey generation: kleopatra vs. commandline
> On Tue, 11 Feb 2014 10:39, fabian.nick at scai.fraunhofer.de said:
> > 1) What exactly are subkeys for?
> They make key management easier.  The user needs to know only about
> the
> primary key and the OpenPGP application takes care of using the right
> key.
> best practice cryptography operational rules require that a certain
> key
> is only used for one purpose (signing or encryption).  By using a
> primary key for signing and a subkey for encryption, OpenPGP allows
> to
> implement this.  X.509 has no such provision and to satisfy the rules
> one need to create two entirely different keys and manage both.
> You may also add other subkeys for other urpiuses.  For example an
> key or a key for Bitcoin (currently in development).  Still you can
> identify all theses keys with just one fingerprint or user id.
> > 3) How do I create a public key without a subkey from the command
> > line?
>   $ gpg --gen-key
>   Please select what kind of key you want:
>      (1) RSA and RSA (default)
>      (2) DSA and Elgamal
>      (3) DSA (sign only)
>      (4) RSA (sign only)
>      (7) DSA (set your own capabilities)
>      (8) RSA (set your own capabilities)
>   Your selection? 4
>   RSA keys may be between 1024 and 4096 bits long.
>   What keysize do you want? (2048)
> The primary key must be capable of signing, thus you do not see an
> encrypt-only choice here.  To later add another subkey, you use "gpg
> --edit-key" and then the command "addkey".
> Salam-Shalom,
>    Werner
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gpg4win-users-en mailing list