Programster's Blog

Tutorials focusing on Linux, programming, and open-source

GPG - Subkeys


Until now, I have always been ignoring the subkey concept because I didn't understand it. I have been generating new master keys each year for my needs. However, I am now going to switch over to using one master key and using it to generate/revoke subkeys which are the ones I will actually be using day-to-day. E.g. I will be generating new subkeys each year for encrypting my emails. I should have started out this way, but we all learn along the way.

There is an excellent Debian Wiki post post that this post is based on, and convinced me to change my behaviour.

Related Posts

Why Subkeys?

Subkeys make key management easier.

You can keep your identity tied to your master key that you keep locked away in a vault at the bottom of a dungeon that has guard dogs and armed guards. Use subkeys that expire for day-to-day things such as encrypting files, digitally signing emails or code. If your subkey becomes compromised, go to the effort of retrieving your master key and use it to revoke the subkey before generating a replacement.

You will need to use the master key only in exceptional circumstances such as when you:

  • sign someone else's key or revoke an existing signature.
  • add a new UID or mark an existing UID as primary.
  • create a new subkey.
  • revoke an existing UID or subkey.
  • change the preferences (e.g., with setpref) on a UID.
  • change the expiration date on your master key or any of its subkey.
  • revoke or generate a revocation certificate for the complete key.
Last updated: 17th February 2024
First published: 16th August 2018