49

When I run gpg --list-keys I get the following output:

/home/yax/.gnupg/pubring.kbx ---------------------------- pub rsa2048 2020-10-09 [SC] 4424C645C99A4C29E540C26AAD7DB850AD9CFFAB uid [ultimate] yaxley peaks <[email protected]> sub rsa2048 2020-10-09 [E]

What is my actual key in this block of text?

How do I get my key id?

What does the [SC] and the [E] mean, and what does sub mean?

Here's some info regarding the key.

  1. it was generated with gpg --full-generate-key and I chose the rsa rsa option.
  2. It's 2048 bytes long
Improve this question
2
  • 1
    Does this answer your question? How are the GPG usage flags defined in the key details listing? Commented Oct 10, 2020 at 12:41
  • @Freddy yes thank you but that is not the complete answer to my question. I Would still like to know what is my actual key in that block of text. and what does sub mean Commented Oct 10, 2020 at 13:06

4 Answers 4

Reset to default
28

what is my actual key in this block of text?

It's not shown. Since this is, as you (correctly) said, an RSA 2048-bit key, your actual public key (which is what --list-keys shows) in hex would be over 500 characters -- about 7 full lines on a typical terminal. Your private key, which, for historical reasons*, PGP and GPG call 'secret' and which is shown by --list-secret-keys, would be even longer; in addition, showing it on a terminal where in some cases a bad person might be able to get a copy of it is extremely bad for security.

How do i get my key id?

4424C645C99A4C29E540C26AAD7DB850AD9CFFAB is the fingerprint. There are two keyids, and except for v3 keys which are long obsolete, both are derived from the fingerprint. The 'short' keyid is the low 32 bits, or last 8 hex digits, of the fingerprint and thus is AD9CFFAB. The 'long' keyid is the low 64 bits, or last 16 hex digits, of the fingerprint and thus is AD7DB850AD9CFFAB. Historically the short keyid was used for almost everything, and most websites, blogs, and much documentation that you find will use and show them, but in the last few years short keyids have been successfully attacked so modern programs now default to either the long keyid or (as here) the fingerprint, but you can add them by specifying --keyid-format=long or --keyid-format=short or the equivalent option in some config file, probably .gnupg/config .

The 2048R/0B2B9B37 you found somewhere is an example of the format used by old versions of GPG. It used a single letter R for RSA, because in the old days there were really one three types of keys (and algorithms) to distinguish while now there are more; and it used the short keyid of 8 hexits.

* I originally wrote hysterical raisins in reference to the ancient times when hackers were good and computer users were intelligent, but this is no longer the case. Noted and proposed by https://unix.stackexchange.com/users/424473/yaxley-peaks which I have partially overridden.

Improve this answer
0
19

Although @dave_thompson_085 provided an outstanding answer to the first part of the question (he describes the relationship between fingerprint and KeyID), I'm going to answer the remaining (3) parts of the original question.

"What does the [SC] and the [E] mean, and what does sub mean?"

I can see why nobody answered the parts about "[SC]" & "[E]": GPG's documentation is as cryptic as is GPG itself ;-). I spent ages trying to find express descriptions of these fields and having failed to, I found proofs for their meaning by creating keys.

[SC]:

If we create a key with the --expert switch we are given values for the "[SC]" field if we choose option 11 "set your own capabilities". Thus, we can establish that "[SC]" relates to "Sign Certify" from "Current allowed actions":

gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 11 Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q

[E]:

gpg --expert --full-gen-key didn't give me an option to change "[E]".

However, creating a key using gpg --default-new-key-algo DOES:

gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "[email protected]"

Remark in the 2nd field between the forward slashes we see the "cert,sign" but in the 3rd field after the 2nd forward slash we see encr is being set.

So "[E]" = encr[yption]

sub:

Sub[key], which Debian's excellent Wiki page describes as:

What are subkeys? OpenPGP further supports subkeys, which are like the normal keys, except they're bound to a primary key pair. A subkey can be used for signing or for encryption. The really useful part of subkeys is that they can be revoked independently of the primary keys, and also stored separately from them.

In other words, subkeys are like a separate key pair, but automatically associated with your primary key pair.

GnuPG actually uses a signing-only key as the primary key, and creates an encryption subkey automatically. Without a subkey for encryption, you can't have encrypted e-mails with GnuPG at all. Debian requires you to have the encryption subkey so that certain kinds of things can be e-mailed to you safely, such as the initial password for your debian.org shell account.

Conclusion:

Finding these details- I can see others with the same questions- was like pulling teeth. GPG's docs could be a bit better. With something like encryption, there can't be ambiguity of meanings which could lead to a misapprehension...

Improve this answer
1
3

You can read this article for explanation about the key flags (see Key Flag Subpacket section).

Your primary key (used for signing) is the one that is preceded with "pub". You can see the private part with "gpg --list-secret-keys" (the one that starts with "sec"). The sub-key (used for encryption) is the one that preceded with "sub" (public sub-key) or "ssb" (secret sub-key). Check the answer to a question about GnuPG separate keys here.

Improve this answer
2
  • 1
    thanks, this makes a lot of sense but it still doesnt answer the main question. Where do i find the actual key? I messed around a bit and found that the 4424C645C99A4C29E540C26AAD7DB850AD9CFFAB is the fingerprint. I still cant find the actual key. I looked up online and it just says it is the key will be shown like: 2048R/0B2B9B37 but i cant find something like that when i do gpg --list-keys Commented Oct 10, 2020 at 16:26
  • You mean the key files? It is usually in "~/.gnupg/" directory or other location that "gpg -K" will tell you. You can also export the public-private key pair in ASCII armored file like shown here. Commented Oct 10, 2020 at 16:43
0

I would point you to this guide Anatomy of a GPG Key - Dave Steele's Blog

It's not a guide containing absolutely everything about GPG and its commands, but it helped me understand a lot more about GPG as a whole.

Improve this answer
1
  • 2
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review Commented Jan 9, 2023 at 13:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.