PGP and SSH keys (What/Why-TO)

PGP and SSH keys (What/Why-TO)

The content below is an almost exact copy of this (brilliant) article/tutorial by Eric Severance.
In hindsite, it feels like the steps followed are obvious. As a n00b13 it was confusing, since I did not grasp the underlying foundation adequately.

I can/will not add anything to it – I will only change the layout to bullet points, add in my 2 cents worth of (hopefully) relevant comments, and move the HOWTO part to a separate post (in which I will tweak it to my preferences). I don’t recommend doing the HOWTO until you have understood the concepts properly – which will sound silly to clever people, but that’s not relevant for us lesser beings.

Master keys1, Subkeys2, and User IDs3

OpenPGP keys normally have three parts:

  • one master key,
  • one or more subkeys,
  • one or more user ids.

In my 1st attempt to work with keys, I created 4 keys, one key per ID, each of which were Master,Sign,Encrypt and Authenticate. In terms of “worst practices” I was up there with the worst of the best


1) The master key is the most important key.

  • Having the private half of the master key proves that you own the OpenPGP key.
  • The master key is used to
    • add/remove subkey(s)
    • sign/certify other people’s keys.
  • You don’t need to have the master key present for everyday signing and encryption.
  • If possible, the master key should be
    • kept offline (also better to create it offline if you’re a wannabe tinhatter)
    • ONLY used when
      • adding or revoking subkeys
      • certifying another person’s PGP key.

2) Subkeys make maintenance of a OpenPGP key easier.

  • Subkeys can be used for
    • signing data
    • encrypting data
    • authentication
  • The lifetime and purpose (encrypt,sign,authenticate) of a subkey is controlled by the master key.
  • Subkeys can be added and removed from the PGP key at any time by the owner of the master key.
  • Subkeys can be installed on a computer that does not have access to the master key.
    • On that computer, the subkeys will be used for encryption/decryption and signing.
    • If the subkeys (or computer) are ever stolen, the master key can then be used to revoke the stolen subkeys and to add new subkeys to the PGP key. This can all be done without generating a new PGP key as long as the master key was not also stolen.

    For more information about subkeys, see the Debian wiki page about Subkeys.

3) User IDs are used to identify the owner of the OpenPGP key.

  • The User ID normally contains the name and email address of the person who owns the PGP key.
  • User IDs are added to a PGP key using the master key.
  • When another person signs your PGP key, they sign both the public master key and the User ID parts of the PGP key.


The better way to do what I wanted, is to create

  • ONE master key
    • It has multiple User IDs
    • It can/should ONLY be used/able to Certify
    • It has a 2y lifespan
  • ONE Signing(ONLY) subkey [1y lifespan]
  • ONE Encrypting(ONLY) subkey [1y lifespan]
  • ONE Authentication(ONLY) subkey [1y lifespan]

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 18 =