Why does GPG/PGP by default use different keys for signing/encryption?

gnupg pgp public-key-encryption

10,836

Solution 1

In the United Kingdom, the Regulation of Investigatory Powers Act 2000 says

49 (9) A notice under this section shall not require the disclosure of any key which—

(a) is intended to be used for the purpose only of generating electronic signatures; and

(b) has not in fact been used for any other purpose.

…which means that the UK government may, in some circumstances, be able to compel you to hand over your decryption key (if you're a resident) but they're not allowed to impersonate you with your signing key.

Solution 2

I don’t know specifically why GPG/PGP does what it does, but one possible motivation for this sort of thing is disaster recovery. You might want to give a copy of your encryption private key to a very close, trusted friend, so, if your house is hit by a meteorite, you can still read your old messages that are saved in the cloud. (Similarly, you might be required to give your encryption key¹ to your boss, so he can read your email after you leave.)

But there’s no reason for anybody else to have a copy of your signing key pair.
________________
¹ “you might be required to give your encryption key” to somebody — see TEV’s answer.

Solution 3

The simple answer is that the more you use a key the more information you leak about the key.

A signing key is used by you to authenticate that you trust a key, and by inference the owner, but more importantly that your communications come from you. This is called non-repudiation.

For argument sake let's say using a key 10000 times means you leak all the information needed for somebody to reconstruct that key. Using one key >9999 times would mean that somebody else could potentially impersonate you and convey your trusted signature to an evil third party's key or document causing all your trusted network to believe this party is you or the document comes from you.

However if you are also encrypting with that same key the threshold is more quickly reached.

To avoid that potential annoyance a second key is created, which is used only for encryption/decryption, which is only used to encrypt data as you. Once this key has been used 9999 times you can expire this key without losing all the trust you handed out with your valid signing key. You rekey, generate a new encryption key, and sign it with you signing key to show that this is a trusted encryption key which everybody can verify.

EDIT:

On re-reading what I wrote above and the GNU Privacy Handbook, ~~my conclusion is that sub is a private key~~ and pub must be a public key. @GnP this answer:

"The keyword pub identifies the public master signing key, and the keyword sub identifies a public subordinate key."

Solution 4

If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.

Messages can be:

unsigned and unencrypted
signed and unencrypted
unsigned and encrypted
signed and encrypted

and there are uses for each of those cases, depending on what you are trying to accomplish with signing and encryption.

If by signing you are establishing identity/endorsement, and by encrypting you are making messages private, being able to encrypt but not sign gives you the ability to send a private message that isn't necessarily associated with your identity or endorsed by you. You would want separate keys in this case.

View more solutions

10,836

Chaos_99

Updated on September 18, 2022

Comments

Chaos_99 over 1 year
If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.
```
pub  2048R/XXXXXXXX  created: 2013-02-09  expires: 2014-02-09  usage: SC  
sec  2048R/XXXXXXXX           2013-02-09 [expires: 2014-02-09]

sub  2048R/ZZZZZZZZ  created: 2013-02-09  expires: 2014-02-09  usage: E
ssb  2048R/ZZZZZZZZ           2013-02-09 [expires: 2014-02-09]  
```
(Output combined from gpg --list-keys and gpg --list-secret-keys)

It's also recommended to not use your master key for regular signing (of mails/data), but to create another signing-only sub-key and remove/backup your master key to a safe and offline location only to be used for key-signing.

This makes sense as most encryption endpoints are laptops/phones or other always-online, mobile devices which put your private keys at risk of theft or loss. With a securely stored master key, you can always revoke such lost sub-keys and never loose your key signatures.

So while the master-key <-> sub-key separation is clear to me, I don't understand why there is this emphasis on separating signing and encryption keys (even if they are both sub-keys). Can somebody explain why this is necessary or at least what the advantage is from a security or practical perspective?

Technically it's entirely feasible and supported by GnuPG to create a signing AND encrypting sub-key.
```
pub  2048R/YYYYYYYY  created: 2013-08-13  expires: 2014-08-13  usage: SCEA
sub  2048R/VVVVVVVV  created: 2013-08-13  expires: 2014-08-13  usage: SEA 
```
- GnP over 7 years
  
  There's a good answer to this question over at Security.SE in case anyone's interested.
Chaos_99 almost 11 years

l suppose for most people the signing key is used way more often then the encryption key, as almost all mails will be signed but only some will be encrypted. In this case, the gpg-default is the wrong way around, as the encr. key is easy to change while the signing key is not.
Daniël W. Crompton almost 11 years

As you usually encrypt with somebody else's public key this does sound somewhat logical, and there are probably good reasons for this that I'm currently unaware of.
Chaos_99 almost 11 years

You are right. Please exchange "encryption" with "decryption" in my comment. But the point remains valid. You sign more often then you DEcrypt. I asked this question to find out about exactly the "probably good reasons" you mentioned.
Chaos_99 almost 11 years

Both the master as well as the sub-key are valid key PAIRS with public and private key. The abbreviation for the private master is 'sec', for the private sub-key 'ssb'. Both can be seen with gpg --list-secret-keys. The listings given above show only public keys returned by gpg --list-keys.
Chaos_99 almost 11 years

Edited question above.
Scott - Слава Україні almost 10 years

One of us is confused. When do you “encrypt data as you”? When a communication (mail message or document) is encrypted, the sender is using the recipient’s public (encryption) key. When I use my encryption private key, I’m using it to decrypt an encrypted message back into plaintext, and the result is not externally visible – so how does using your encryption key leak any information?
Sebastian Carlier almost 10 years

Please review your edit, as to my knowledge there is a public keypair and a subkey keypair. In total, by default GPG will create two RSA 2048 keypairs, one for encryption and one for signing. If you look into the GPG packets of a key downloaded from an sks-keyserver for example ( and keyservers do not store private keys ) you can see a public key packet containing protocol specific values that form the public key ( for RSA or DSA for example ); used by the recipient of the message for verification of the message's integrrity.
Mokubai almost 10 years

[cont'd from Sebastian Carlier] Then you can also see a subkey packet that holds a public key ( RSA and Elgamal for example ) used for encryption by the sender. The public key is part of the public/private keypair of the receiver of course. tools.ietf.org/html/rfc4880#section-5.5.1.2
Daniël W. Crompton almost 10 years

@Scott you sign data as you using your private key, which is verified using your public key.
Daniël W. Crompton almost 10 years

@SebastianCarlier You might want to put that answer in an answer of your own.
Daniël W. Crompton almost 10 years

@Scott I think you meant me. You need to read the question again, he asks about key pairs for signing keys and key pairs for signing mail. Granted my answer could be made clearer.
Scott - Слава Україні almost 10 years

@DaniëlW.Crompton (1) Oops, you’re right; I just looked at the last comment on the page. (2) I just read the question again, and I still believe that it’s asking about separate keys (key pairs) for signing and encrypting, not signing other keys versus signing communications (emails).
Daniël W. Crompton almost 10 years

@Scott I think it's actually a signing key for signing your own keys, and other keys.
Scott - Слава Україні almost 10 years

Correct me if I’m wrong, but I believe that, when you encrypt a message, you use the recipient’s (public) key, so, once it leaves your hands, it’s not traceable to you. Your encryption key is for others to send encrypted messages to you.
GnP over 7 years

"the more you use a key the more information you leak about the key" do you have a source for that claim?
GnP over 7 years

"sub is a private key and pub must be a public key." nope. From the handbook you linked: "The keyword sec identifies the private master signing key, and the keyword sbb identifies the private subordinates keys" and also "The keyword pub identifies the public master signing key, and the keyword sub identifies a public subordinate key"
Daniël W. Crompton over 7 years

@GnP Thanks for the info, I will change the answer.
Jonathan Cross about 7 years

Interesting... this would apply to Bitcoin private keys as well then (only used for signing, not used for encryption).
Admin about 7 years

…and it looks like this exemption stays in place in the 2016 act.
Ben over 6 years

@Scott yes, but most people usually have a default key set as well so they can read whatever is in their outbox and usually to specify a default signature. Though in those cases the key ID of the master/certification key is used to select the correct subkey.