When listing keys with gpg2 --list-secret-keys, one is presented with a bunch of lines that begin with sec and ssb. What do these mean?
Add a comment
|
1 Answer
sec => 'SECret key'
ssb => 'Secret SuBkey'
pub => 'PUBlic key'
sub => 'public SUBkey'
The Debian wiki explains a bit further:
OpenPGP further supports subkeys, which are like the normal keys, except they're bound to a master key pair. A subkey can be used for signing or for encryption. The really useful part of subkeys is that they can be revoked independently of the master keys, and also stored separately from them.
In other words, subkeys are like a separate key pair, but automatically associated with your main key pair.
...
You should keep your private master key very, very safe
...
Subkeys make this easier: you already have an automatically created encryption subkey and you create another subkey for signing, and you keep those on your main computer. You publish the subkeys on the normal keyservers, and everyone else will use them instead of the master keys for encrypting messages or verifying your message signatures.
...
You will need to use the master keys only in exceptional circumstances, namely when you want to modify your own or someone else's key.
-
4I asked about where this might in the official docs at dev.gnupg.org/T1563#122298 Feb 5, 2019 at 6:19
-
7Is there further details for
#and>? I believe#means not present, and>means a stub is present (so the key is on a smartcard) but I cannot find a reference to this.– JaredJun 29, 2020 at 20:06 -
3@Jared some information about these suffixes is in the manual: [quote] A
#after the initial tagssecorssbmeans that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command--export-secret-subkeys). A>after these tags indicate that the key is stored on a smartcard. See also--list-keys. Sep 23, 2021 at 10:45