0

I import [E] subkey to different folder from ~/.gnupg, and export subkey's public key with --homedir option.

I can see subkey's public key has less lines than master's plublic, using diff results that they has some starting lines the same, but then different lines at the bottom so at the end it's still different public key.

My question: Are they different public key? (I still need double confirm here). If they're different then encryption/decryption with subkey is on its own and there's no related to master's key and other subkeys?

Improve this question

1 Answer 1

Reset to default
1

In asymmetric cryptography you always deal with key-pairs. For each secret key there is a corresponding public key. So to answer your first question: yes, the public key of a primary key pair is different from the public key of its subordinate key pair.

I tried to reproduce your experiment and created a GnuPG test key with a primary key (ID 0xA6271DD4) and a subordinate key (ID 0x5336E1DC). I then exported the subordinate key to a file and checked, which packets it contains. 

$ gpg --export-secret-subkey 5336E1DC! > subkey.gpg $ gpg --list-packets subkey.gpg | grep "\(packet\|keyid\)" :secret key packet: keyid: 877AA505A6271DD4 :user ID packet: "testtest <test@test>" :signature packet: algo 1, keyid 877AA505A6271DD4 :secret sub key packet: keyid: B0389BEB5336E1DC :signature packet: algo 1, keyid 877AA505A6271DD4 $

Please note that both the user ID and the secret subordinate key are signed by the primary key. On the first look it seems that both the primary and subordinate secret key were exported. Show more info about the first secret packet.

$ gpg --list-packets subkey.gpg | head # off=0 ctb=95 tag=5 hlen=3 plen=277 :secret key packet: version 4, algo 1, created 1546169910, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] gnu-dummy S2K, algo: 0, simple checksum, hash: 0 protect IV: keyid: 877AA505A6271DD4 # off=280 ctb=b4 tag=13 hlen=2 plen=20 :user ID packet: "testtest <test@test>" $

When exporting a secret key in GnuPG, the corresponding public key is always exported with it. So this secret key packet contains a public key of 2048 bits plus probably its 17 bits hash. But the secret key itself is missing, only a stub was exported: gnu-dummy S2K, algo: 0, simple checksum, hash: 0. To wrap it up: When exporting a secret sub key, you always export the public sub key and the public primary key (necessary to verify the signatures) with it.

You write that your public sub key has fewer lines than your public master key. I was not able to reproduce that. With GnuPG you can export a public key without any of its subkeys, in the example above by the command gpg --export A6271DD4! > pubkey.gpg (please note the exclamation mark). On the other hand, it is not possible to export just a public sub key. But if comparing a master key with a master key plus its sub key, the latter one naturally has more lines. So to better understand your observation it would be good to know the exact commands you used.

Improve this answer
4
  • Thanks. I exported subkey's pubkey follow this guide https://wiki.archlinux.org/index.php/GnuPG#Export_your_public_key. Before doing above guide, I import subkey to a specific folder use --homedir <folder> --import and then export with --homedir to that folder. You will notice that the same export public command above against master key and subkey gives different public key, master one has longer lines. Commented Jan 2, 2019 at 3:45
  • So you have both keys as files. Could you try gpg --list-packets <keyfile> on both files and see what packets they contain? Commented Jan 2, 2019 at 21:14
  • I checked it, and can confirm that the exported subkey's public is actually master's public, they have same keyid under field public key packet even in master's pub, I see there's multiple different keyids for each subkey but they can't be able to export as separate pubkey. Commented Jan 3, 2019 at 0:57
  • That's what I learned as well, in GnuPG you can not export a public sub key without it's master. For secret sub keys though it's possible. In case you'd want to store the public sub key separate from the master, you could use gpgsplit and get an individual file for each packet. Commented Jan 6, 2019 at 18:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.