12

When using gpg to create a single key, I get:

$  gpg --list-keys
-------------------------------
pub   2048R/0C0EA301 2018-01-01
uid       [ultimate] 
sub   2048R/023A0509 2018-01-01


$ gpg --list-secret-keys
-------------------------------
sec   2048R/0C0EA301 2018-01-01
uid                  
ssb   2048R/023A0509 2018-01-01

When using bouncycastle to view the keys (in ~/.gnupg/pubring.gpg and ~/.gnupg/secring.gpg), I find that there are four keys created:

(#gpg.public[9AB238A08EF3EAB0A7D01E1284AB64C10C0EA301] 
 #gpg.public[A841D2BA6635154081F3A5176DE7FF9B023A0509])

(#gpg.secret[9AB238A08EF3EAB0A7D01E1284AB64C10C0EA301] 
 #gpg.secret[A841D2BA6635154081F3A5176DE7FF9B023A0509])

Why does gpg create four keys (public/private/sub/ssb) and what are they for?

F1Linux
  • 273
  • 7
  • 13
zcaudate
  • 233
  • 2
  • 6

1 Answers1

16

The abbreviations stand for the following:

  1. pub -- public primary key
  2. sub -- public sub-key
  3. sec -- secret primary key
  4. ssb -- secret sub-key

In asymmetric cryptography you always have key pairs: A public key to encrypt, a private (secret) key to decrypt. Here we have two key pairs: (1, 3) and (2, 4). They can be identified by their identical fingerprints.

But why are there two key-pairs? When generating an OpenPGP key with GnuPG, per default a primary key (pair), also called master-key, and a sub-key (pair) are created. The primary key, also called master-key, contains one or more user-IDs (name, email-address) and is used for for signing. The sub-key, signed by the primary key and thus confirmed to belong to its user-IDs, is used for encryption/decryption.

The idea for having a master-key with sub-keys is very well described here. If you want to deviate from the default behaviour and gain more control about the key generation, e.g. create only a single key-pair or select a certain cryptographic algorithm, you should try gpg --full-gen-key (introduced in GnuPG 2.1.17).

kinnla
  • 276
  • 3
  • 6