1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
---
title: Generate and Use Subkey(s)
sidebar:
order: 4
---
GpgFrontend allows users to extend their primary key pairs by generating one or
more subkeys. Subkeys can be used for specific cryptographic purposes, such as
encryption, signing, or authentication, while keeping the primary key more
secure and reserved for certification.
## Generating a Subkey
There are **two entry points** to generate a subkey:
### Method 1: From Key Management
1. **Open Key Management**
- Navigate to the main **KeyPair Management** interface.
- Right-click on the key pair to which you want to add a subkey.
- Select **“New Subkey”** from the context menu.
### Method 2: From Key Details View
1. **Open Key Details**
- Double-click on the desired key pair in the **Key Management** list.
- Switch to the **Keychain** tab.
- Click the **“Generate A New Subkey”** button.
### Configuring the Subkey
Once the subkey generation dialog appears, configure the following settings:
- **Algorithm**: Choose the algorithm for the subkey. Options include:
- RSA, DSA
- ECC (e.g., ED25519, ED448, CV25519, SECP256K1, Brainpool, NIST curves, etc.)
- ECDH for encryption, EdDSA for signing, etc.
- **Key Size**: Select the desired key size. This setting is available for most
algorithms, including RSA, DSA, and ECC variants (such as Curve25519,
Brainpool, or NIST curves). For curve-based algorithms, the key size typically
corresponds to the selected curve (e.g., ED25519 = 256 bits), while RSA/DSA
allows configurable sizes like 2048, 3072, or 4096 bits.
- **Expiration Date**: Set how long the subkey remains valid:
- Predefined periods (e.g., 1 year, 2 years)
- Exact date/time
- Or enable **“Non Expired”** for permanent validity.
- **Key Usage**: Choose what the subkey can be used for:
- `Encrypt`
- `Sign`
- `Authenticate`
*(Certification usage is reserved for primary keys.)*
### Final Step: Generate
Once all configurations are completed:
- Review your choices in the summary area (if available).
- Click **“Generate”** to create the subkey.
- The new subkey will be listed under the **Keychain** tab of the selected key
pair.
## Understanding Primary Keys and Subkeys
In the realm of cryptography, key management plays a crucial role in ensuring
data security. A key pair consists of a primary key and one or more subkeys,
each serving distinct functions yet working together to secure and manage
digital identities and communications. This structure not only enhances security
but also provides flexibility in key usage and management.
### The Role of Primary Key and Subkeys
- **Primary Key**: The primary key is the cornerstone of your cryptographic
identity. It is used for identity verification, which includes signing other
keys to establish trust. The primary key's signature on a subkey validates the
subkey's association with the identity of the primary key holder.
- **Subkeys**: Subkeys are associated with the primary key and are used for
encryption and signing documents or messages. Subkeys can be thought of as
extensions of the primary key, each designated for specific tasks. This
separation of duties allows for greater security and operational flexibility.
For example, you can have separate subkeys for signing and encryption.
### Advantages of Using Subkeys
1. **Enhanced Security**: By using subkeys for day-to-day operations, you
minimize the risk associated with key exposure. If a subkey is compromised,
it can be revoked without affecting the primary key or other subkeys, thereby
limiting the potential damage.
2. **Operational Flexibility**: Subkeys allow for specific roles (e.g., signing,
encryption) to be isolated. This means you can renew or revoke subkeys as
needed without disrupting the overall cryptographic setup.
3. **Convenient Key Rotation**: Regularly updating keys is a best practice in
cryptography. Subkeys make it easier to rotate keys for signing and
encryption without needing to re-establish the primary key's trust
relationships.
## Best Practices for Using Subkeys
After understanding the concepts discussed above, you might be wondering how
exactly you can effectively use subkeys to maximize their advantages. In
principle, the main goal is to separate the subkey from the primary key to
leverage better security. If your subkeys are always kept together with the
primary key, you will always need to use the complete set of keys, increasing
the risk of compromising the primary key. GpgFrontend supports the export of
individual subkeys, as well as the configuration of multiple key databases.
Using these features together, you can easily isolate a particular subkey,
export it, and import it into another key database. This allows you to secure
the primary key separately, even removing it from the original key database to
reduce exposure. For high-security environments, it is recommended that:
> "The primary key should be stored in a highly secure location, preferably
> offline or in a hardware security module (HSM), to prevent unauthorized
> access. The loss or compromise of the primary key jeopardizes the entire
> cryptographic framework."
### Step-by-Step Guide to Exporting Subkeys
To demonstrate how to export an individual subkey, let's refer to the screenshot
provided. Below is a step-by-step guide to navigate the GpgFrontend interface
and successfully export a subkey:
1. **Open Key Details View**: Open the GpgFrontend application and navigate to
the key database section. Select the desired key from the list to open the
**Key Details** view.
2. **Access the Keychain Tab**: Click on the **Keychain** tab within the Key
Details window. Here, you will be able to see a list of all keys associated
with your selected primary key. The list includes the primary key itself,
which is displayed in the first row, as well as any subkeys.
3. **Select a Subkey**: Locate and click on the subkey you wish to export. Once
selected, details about the subkey will appear in the lower half of the
window, providing information such as **Key ID**, **Algorithm**, **Key
Size**, and **Usage**.
4. **Export the Subkey**: On the right side of the key details section, there is
an **Export Subkey** button, highlighted in the screenshot. Click this button
to start the export process.
5. **Save the Subkey File**: A file dialog will appear, prompting you to specify
a location to save the exported subkey. Choose a secure directory and save
the subkey as a separate file.
### Step-by-Step Guide to Importing Subkeys
To demonstrate how to import an individual subkey that has been previously
exported, let's refer to the screenshots provided. Below is a step-by-step guide
to navigate the GpgFrontend interface and successfully import a subkey:
1. **Select the Key Database**: Choose the appropriate key database from the
**Key Toolbox**.
1. **Import the Subkey**: Click on the **Import Key** button in the top toolbar,
and select **File** from the dropdown menu. This action will open a dialog
where you can browse your system to locate the previously exported subkey
file.
2. **Select Subkey File**: Browse to the location where the subkey file is
saved, select it, and click **Open**. This will import the subkey into the
selected key database.
3. **Verify Imported Subkey**: After importing the subkey, locate it in the
**Key Toolbox** list. Click on the subkey to open its **Key Details** view.
You should see all relevant information about the subkey, including **Key
ID**, **Algorithm**, **Key Size**, and **Usage**.
4. **Handling Primary Key**:You can now move your master key to a safe place.
Then delete it at GpgFrontend.
### Confirming Primary Key Absence
In the **Key Toolbox**, you may notice that some keys have a `#` symbol next to
their **Type** (e.g., **pub/sec#**). This symbol indicates that the primary key
for this subkey does not exist in the current key database. This is expected if
you have securely removed the primary key to minimize exposure, while retaining
the subkeys for ongoing operations.
You can confirm the absence of the primary key by opening the **Key Details**
view of the imported subkey. In the **Primary Key Existence** section, it should
indicate **Not Exists**. This ensures that the primary key is not present, which
enhances the overall security of your cryptographic setup.
## Key Functionality Without a Primary Key
When a primary key is absent from the key database, certain limitations apply.
You can confirm the absence of the primary key by checking the **Primary Key
Existence** section in the Key Details view, which will display **Not Exists**.
This setup is intentional in many cases to improve security by isolating the
primary key.
### Actions Limited by the Absence of a Primary Key:
1. **Creating New Subkeys**: The absence of the primary key prevents the
generation of additional subkeys.
2. **Adding UID**: You cannot attach new User IDs (UIDs) to the keyset without
the primary key.
3. **Key Certification**: Signing other keys to certify them as trusted is only
possible with a primary key.
4. **Key Revocation**: Generating a revocation certificate for the subkey or
primary key is impossible without the primary key.
### Practical Example: Subkey-Only Use Case
In scenarios where only the subkey remains, as depicted in the screenshot:
- The subkey can be actively used for encryption purposes (e.g., encrypting
emails or files).
- Since no subkey capable of signing exists, you cannot digitally sign data. To
address this, it is advisable to generate a signing-capable subkey during the
initial key creation process.
This setup is particularly beneficial for environments where the exposure of the
primary key poses a security risk. By isolating the primary key and relying
solely on subkeys, you can maintain a balance between functionality and
security.
### Tips for Secure Usage:
1. **Inspect Subkey Capabilities**: Always verify what operations a subkey can
perform by reviewing its **Usage** field.
2. **Plan Subkey Generation**: At the time of key creation, consider creating
multiple subkeys with distinct purposes (e.g., signing, encryption,
authentication).
3. **Backup Primary Key Securely**: Store the primary key in an offline, highly
secure location to allow recovery or advanced operations if needed.
### Additional Note on Subkey Algorithm Types
Subkeys in GpgFrontend offer more algorithm types than primary keys due to their
specialized roles. While primary keys focus on establishing identity and trust,
subkeys are often dedicated to specific tasks like encryption or authentication.
This task-specific design allows subkeys to utilize a broader range of
algorithms, enhancing their flexibility and functionality. For instance, while
primary keys may be restricted to certain secure algorithms for signing, subkeys
can employ diverse algorithms optimized for encryption, like ECDH, ensuring
efficient and secure operations tailored to the user's needs.
For more Details: [Comparison of Cryptographic
Algorithms](/extra/algorithms-comparison)
**Subkey Supported Algorithms:**
- RSA
- DSA
- ELG-E
- ECDSA ED25519
- ECDSA ED448 (GnuPG >2.3.0)
- ECDH CV25519
- ECDH SECP256K1 (GnuPG >2.3.0)
- ECDH X448 (GnuPG >2.3.0)
- ECDH NIST P-256
- ECDH NIST P-384
- ECDH NIST P-521
- ECDH BrainPool P-256 (GnuPG >2.3.0)
- ECDH BrainPool P-384 (GnuPG >2.3.0)
- ECDH BrainPool P-512 (GnuPG >2.3.0)
|
