When I list the details of a key I get output like this:
$ gpg --edit-key SOMEID pub [..] created: [..] expires: [..] usage:SC [..] sub [..] created: [..] expires: [..] usage: E Or even usage: SCA on another key (the master-key part).
What does these abbreviation in the usage field mean?
I can derive that:
S -> for signing E -> for encrypting But what about C and A?
And are there more?
And where to look stuff like this up?
Ok, the gpg manual does not seem to mention these abbreviations. Thus, one has to look at the source.
For example under Debian/Ubuntu:
$ apt-get source gnupg2 $ cd gnupg2-2.0.17 $ cscope -bR $ grep 'usage: %' . -r --exclude '*po*' $ vim g10/keyedit.c jump to usage: % jump to definition of `usagestr_from_pk` From the code one can derive following table:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Constant Character ─────────────────────────────── PUBKEY_USAGE_SIG S PUBKEY_USAGE_CERT C PUBKEY_USAGE_ENC E PUBKEY_USAGE_AUTH A ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Thus, for example, usage: SCA means that the sub-key can be used for signing, for creating a certificate and authentication purposes.
The layout of the --edit-key listing is not documented (not that I could find anyway). The abbreviations you mention however are, somewhere in the info pages (info gpg).
I searched for S: and found that I actually wanted to search for usage:.
In "GPG Key related Options":
4.2.1 How to change the configuration
These options are used to change the configuration and are usually found in the option file.
'--list-options parameters' show-usage Show usage information for keys and subkeys in the standard key listing. This is a list of letters indicating the allowed usage for a key ('E'=encryption, 'S'=signing, 'C'=certification, 'A'=authentication). Defaults to no.
So, doing gpg -k --list-options show-usage 1A3ABKEY will show you something like this:
pub rsa4096/1A3ABKEY 2015-01-25 [SC] uid [ultimate] Some Key sub rsa4096/4B907KEY 2015-09-19 [S] sub rsa4096/F9A41KET 2015-09-19 [E] Some more info is found in "Unattended Usage of GPG"
Key-Usage: USAGE-LIST
Space or comma delimited list of key usages. Allowed values are 'encrypt', 'sign', and 'auth'. This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Note that OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the 'cert' flag will be on. If no 'Key-Usage' is specified and the 'Key-Type' is not 'default', all allowed usages for that particular algorithm are used; if it is not given but 'default' is used the usage will be 'sign'.
So, while not immediately apparent, the info is there, somewhere, on your system. If man does not help you, try man -k and/or info.
gpg: unknown option 'show-usage' gpg: invalid list options Although its usage is documented in the gpg1 info pages... Burried deep in the GnuPG mailing-list...
What do the letters to the right of the words "usage" mean?
(S,C,A,E) I can only guess |S|ign, |E|ncrypt, ....(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)
(A)uthenticate: authenticate yourself to a computer (for example, logging in)
(E)ncrypt: encrypt data
These key flags are defined in the OpenPGP spec
5.2.3.21. Key Flags
(N octets of flags)
This subpacket contains a list of binary flags that hold information about a key. It is a string of octets, and an implementation MUST NOT assume a fixed size. This is so it can grow over time. If a list is shorter than an implementation expects, the unstated flags are considered to be zero. The defined flags are as follows:
First octet: 0x01 - This key may be used to certify other keys. 0x02 - This key may be used to sign data. 0x04 - This key may be used to encrypt communications. 0x08 - This key may be used to encrypt storage. 0x10 - The private component of this key may have been split by a secret-sharing mechanism. 0x20 - This key may be used for authentication. 0x80 - The private component of this key may be in the possession of more than one person.
Another info source is the DETAILS file in the GnuPG distribution.
Section "Field 12 - Key capabilities" states
The defined capabilities are: e Encrypt s Sign c Certify a Authentication ? Unknown capability A key may have any combination of them in any order. In addition to these letters, the primary key has uppercase versions of the letters to denote the usable capabilities of the entire key, and a potential letter ‘D’ to indicate a disabled key.
It is actually mentioned in gpg man page now in --list-options - show-usage option description.
--list-options parameters This is a space or comma delimited string that gives options used when listing keys and signatures (that is, --list-keys, --check-signatures, --list-public-keys, --list-secret-keys, and the --edit-key functions). Options can be prepended with a no- (after the two dashes) to give the opposite meaning. The op‐ tions are: ... show-usage Show usage information for keys and subkeys in the stan‐ dard key listing. This is a list of letters indicating the allowed usage for a key (E=encryption, S=signing, C=certification, A=authentication). Defaults to yes. ... For more of these key flags see the Key Flag Subpacket section of this article.
