-   Linux - Security (
-   -   PGP keys: concept question (

joe293 09-21-2008 03:27 PM

PGP keys: concept question
Good evening,
I've got a question about the concept of PGP.

I thought I understood everything:
A private keypair contains 2 keys, a DSA-key and a ElGamal-Key.
The ElGamal-Key decrypts, the DSA-key encrypts. Nobody else than me should have access to the DSA-key.

But then I read the GnuPG manual section about subkeys that says:

Selecting expiration dates and using subkeys
By default, a DSA master signing key and an ElGamal encryption subkey are generated when you create a new keypair. This is convenient, because the roles of the two keys are different, and you may therefore want the keys to have different lifetimes. The master signing key is used to make digital signatures, and it also collects the signatures of others who have confirmed your identity. The encryption key is used only for decrypting encrypted documents sent to you. Typically, a digital signature has a long lifetime, e.g., forever, and you also do not want to lose the signatures on your key that you worked hard to collect. On the other hand, the encryption subkey may be changed periodically for extra security, since if an encryption key is broken, the attacker can read all documents encrypted to that key both in the future and from the past.
So, does that mean, that the DSA master signing key, which seems to be the private key is signed, which would mean that it has to be given away?
And that means, that with the help of the DSA master key, I can generate a ElGamal Key with limited livetime and not publish the primary ElGamal Key that had been created? Or, in my case, revoking the primary ElGamal Key, because I want to have a limited subkey.

Please tell me how to manage having subkeys.

greethings, joe

almatic 09-23-2008 04:45 PM

both keys (dsa and elgamal) have a public and a private part, the private part is never given away.
Only the dsa is never used for encryption, it's used for signatures only while the elgamal key is used for encryption.
The advantage is, that, if you wanna change your encryption key for security reasons, you will keep your signatures (web of trust). You just change the encryption (sub)key.

joe293 09-24-2008 11:38 AM

ah, now I inderstand :)
thanks, almatic.

greethings, joe

All times are GMT -5. The time now is 01:54 AM.