If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.

pub  2048R/XXXXXXXX  created: 2013-02-09  expires: 2014-02-09  usage: SC  
sec  2048R/XXXXXXXX           2013-02-09 [expires: 2014-02-09]

sub  2048R/ZZZZZZZZ  created: 2013-02-09  expires: 2014-02-09  usage: E
ssb  2048R/ZZZZZZZZ           2013-02-09 [expires: 2014-02-09]  

(Output combined from gpg --list-keys and gpg --list-secret-keys)

It's also recommended to not use your master key for regular signing (of mails/data), but to create another signing-only sub-key and remove/backup your master key to a safe and offline location only to be used for key-signing.

This makes sense as most encryption endpoints are laptops/phones or other always-online, mobile devices which put your private keys at risk of theft or loss. With a securely stored master key, you can always revoke such lost sub-keys and never loose your key signatures.

So while the master-key <-> sub-key separation is clear to me, I don't understand why there is this emphasis on separating signing and encryption keys (even if they are both sub-keys). Can somebody explain why this is necessary or at least what the advantage is from a security or practical perspective?

Technically it's entirely feasible and supported by GnuPG to create a signing AND encrypting sub-key.

pub  2048R/YYYYYYYY  created: 2013-08-13  expires: 2014-08-13  usage: SCEA
sub  2048R/VVVVVVVV  created: 2013-08-13  expires: 2014-08-13  usage: SEA 
  • 3
    There's a good answer to this question over at Security.SE in case anyone's interested.
    – GnP
    Commented Nov 22, 2016 at 17:39

5 Answers 5


In the United Kingdom, the Regulation of Investigatory Powers Act 2000 says

49 (9) A notice under this section shall not require the disclosure of any key which—

(a) is intended to be used for the purpose only of generating electronic signatures; and

(b) has not in fact been used for any other purpose.

…which means that the UK government may, in some circumstances, be able to compel you to hand over your decryption key (if you're a resident) but they're not allowed to impersonate you with your signing key.

  • 1
    Interesting... this would apply to Bitcoin private keys as well then (only used for signing, not used for encryption). Commented Apr 20, 2017 at 21:17
  • …and it looks like this exemption stays in place in the 2016 act.
    – user162479
    Commented Apr 21, 2017 at 7:12

I don’t know specifically why GPG/PGP does what it does, but one possible motivation for this sort of thing is disaster recovery.  You might want to give a copy of your encryption private key to a very close, trusted friend, so, if your house is hit by a meteorite, you can still read your old messages that are saved in the cloud.  (Similarly, you might be required to give your encryption key1 to your boss, so he can read your email after you leave.)

But there’s no reason for anybody else to have a copy of your signing key pair.
1 “you might be required to give your encryption key” to somebody — see TEV’s answer.


The simple answer is that the more you use a key the more information you leak about the key.

A signing key is used by you to authenticate that you trust a key, and by inference the owner, but more importantly that your communications come from you. This is called non-repudiation.

For argument sake let's say using a key 10000 times means you leak all the information needed for somebody to reconstruct that key. Using one key >9999 times would mean that somebody else could potentially impersonate you and convey your trusted signature to an evil third party's key or document causing all your trusted network to believe this party is you or the document comes from you.

However if you are also encrypting with that same key the threshold is more quickly reached.

To avoid that potential annoyance a second key is created, which is used only for encryption/decryption, which is only used to encrypt data as you. Once this key has been used 9999 times you can expire this key without losing all the trust you handed out with your valid signing key. You rekey, generate a new encryption key, and sign it with you signing key to show that this is a trusted encryption key which everybody can verify.


On re-reading what I wrote above and the GNU Privacy Handbook, my conclusion is that sub is a private key and pub must be a public key. @GnP this answer:

"The keyword pub identifies the public master signing key, and the keyword sub identifies a public subordinate key."

  • l suppose for most people the signing key is used way more often then the encryption key, as almost all mails will be signed but only some will be encrypted. In this case, the gpg-default is the wrong way around, as the encr. key is easy to change while the signing key is not.
    – Chaos_99
    Commented Aug 16, 2013 at 8:44
  • As you usually encrypt with somebody else's public key this does sound somewhat logical, and there are probably good reasons for this that I'm currently unaware of. Commented Aug 16, 2013 at 9:50
  • You are right. Please exchange "encryption" with "decryption" in my comment. But the point remains valid. You sign more often then you DEcrypt. I asked this question to find out about exactly the "probably good reasons" you mentioned.
    – Chaos_99
    Commented Aug 16, 2013 at 10:59
  • 1
    Both the master as well as the sub-key are valid key PAIRS with public and private key. The abbreviation for the private master is 'sec', for the private sub-key 'ssb'. Both can be seen with gpg --list-secret-keys. The listings given above show only public keys returned by gpg --list-keys.
    – Chaos_99
    Commented Aug 16, 2013 at 12:41
  • 1
    "the more you use a key the more information you leak about the key" do you have a source for that claim?
    – GnP
    Commented Nov 22, 2016 at 17:31

If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.

Messages can be:

  • unsigned and unencrypted
  • signed and unencrypted
  • unsigned and encrypted
  • signed and encrypted

and there are uses for each of those cases, depending on what you are trying to accomplish with signing and encryption.

If by signing you are establishing identity/endorsement, and by encrypting you are making messages private, being able to encrypt but not sign gives you the ability to send a private message that isn't necessarily associated with your identity or endorsed by you. You would want separate keys in this case.

  • 2
    Correct me if I’m wrong, but I believe that, when you encrypt a message, you use the recipient’s (public) key, so, once it leaves your hands, it’s not traceable to you. Your encryption key is for others to send encrypted messages to you. Commented Jun 2, 2014 at 17:34
  • @Scott yes, but most people usually have a default key set as well so they can read whatever is in their outbox and usually to specify a default signature. Though in those cases the key ID of the master/certification key is used to select the correct subkey.
    – Ben
    Commented Dec 29, 2017 at 10:21

Adding to what has already been answered.:

Signing and encrypting operations use their own different algorithms & parameters. Those algorithms may have their own weaknesses. A weakness discovered in a given algorithm could imply that the private/secret key which has been used with this particular algorithm may have become compromised to some degree.

Having a different key for each usage allows to isolate the consequences when discovering a breach for a particular usage.

Also, using the same key with two different algorithms might make new attack schemes available, that could only exist when a given key is used in both contexts (for example if a different weakness from each algorithm would complement each other, or would each reveal some non-identical information about the private/secret key, thus increasing the amount of discoverable private/secret key bits).

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .