Secure Mail Client | Academy / 201.6
All Topics Beginner Intermediate Advanced Download
Intermediate 20 minutes

Master Keys vs. Subkeys

Prerequisites:
creating-first-keys

Understanding PGP Key Architecture

When you first created your PGP key pair, you may have noticed that the process actually generated multiple keys. This isn't a coincidence—modern PGP implementations use a sophisticated key architecture with multiple components serving different functions.

The default key structure includes:

Master Key (Primary Key)

The master key is the root of your PGP identity. Its fingerprint is what uniquely identifies you in the PGP ecosystem.

Capabilities

  • Certify: Sign other people's keys and create subkeys
  • Establish your cryptographic identity
  • Revoke your entire key set if compromised

Treatment

  • Keep extremely secure — ideally offline
  • Use infrequently — only for certification tasks
  • Protect with a strong passphrase

Subkeys

Subkeys are additional keys that are cryptographically bound to your master key but serve specific functions. They can be independently revoked without affecting your master key.

Encryption Subkey

  • Used to receive encrypted messages
  • Others encrypt to this key
  • Typically renewed yearly

Signing Subkey

  • Creates digital signatures
  • Signs your messages
  • Verifiable with your public key

Authentication Subkey

  • Used for SSH authentication
  • Server logins and services
  • Optional but recommended

The Benefits of Subkeys

The subkey architecture provides several important security and practical benefits:

Security Compartmentalization

  • Your master key can remain safely offline and unused for daily operations
  • If a subkey is compromised, you can revoke it without losing your entire PGP identity
  • Different subkeys can be stored in different locations with different security levels

Practical Advantages

  • Subkeys can be placed on hardware security devices like YubiKeys
  • Different expiration dates allow for regular rotation without changing your identity
  • Purpose-specific keys ensure compliance with the principle of least privilege

Security Alert

The master/subkey architecture is a powerful implementation of defense-in-depth. Even if an attacker compromises your daily-use subkeys, your cryptographic identity remains intact as long as your master key is secure.

This is why high-security PGP setups often keep the master key completely offline on airgapped systems.

Reviewing Your Key Structure

Before making any changes, let's examine your current key structure to understand what you're working with.

In Secure Mail Client

To view your key details in Secure Mail Client:

  1. Navigate to Settings → Keys
  2. Select your key from the list
  3. Click "View Details" or a similar option
  4. Look for a section showing "Master Key" and "Subkeys"

Using the Command Line

For more detailed information, you can use the command line with GPG:

List your secret keys with details
      
        
gpg --list-secret-keys --keyid-format LONG

This command will show output similar to: 

sec   rsa4096/0x3AA5C34371567BD2 2025-04-08 [SC] [expires: 2027-04-08]
      Key fingerprint = 867F BB5C 9407 9D74 EB8C  5358 3AA5 C343 7156 7BD2
uid                   [ultimate] Your Name <[email protected]>
ssb   rsa4096/0x4BB6D45482678BE3 2025-04-08 [E] [expires: 2026-04-08]

In this example:

  • sec refers to the master (secret) key with ID 3AA5C34371567BD2 and capabilities [SC] (Sign and Certify)
  • ssb refers to a subkey with ID 4BB6D45482678BE3 and capability [E] (Encryption)

For even more detailed information, examine a specific key:

Examine a specific key in detail
      
        
gpg --edit-key [email protected]

At the GPG prompt, type:

List key details
      
        
gpg> list

This will show all keys with their capabilities, creation dates, expiration dates, and more. Type quit to exit without making changes.

The Optimal Key Structure

For most users, the recommended PGP key structure consists of:

Recommended Configuration

  1. Master Key:
    • 4096-bit RSA key
    • Capabilities: Certify only (C)
    • 2-3 year expiration period
    • Stored securely offline
  2. Encryption Subkey:
    • 4096-bit RSA key
    • Capability: Encrypt only (E)
    • 1-2 year expiration period
    • Used for daily encrypted communications
  3. Signing Subkey:
    • 4096-bit RSA key
    • Capability: Sign only (S)
    • 1-2 year expiration period
    • Used for signing messages and files
  4. Authentication Subkey (optional):
    • 4096-bit RSA key
    • Capability: Authenticate only (A)
    • 1 year expiration period
    • Used for SSH authentication and system logins

This structure achieves the ideal balance between security, usability, and key management.

Creating the Optimal Key Structure

If your key doesn't already have this structure, you can modify it to align with these best practices. There are two main approaches:

Approach 1: Modify Your Existing Key

If you already have a PGP key and want to adapt it to the recommended structure:

Warning

Before making changes to your key structure, create a secure backup of your entire keyring. This ensures you can recover if something goes wrong during the process.

Step 1: Back up your keys

Export your master key and subkeys
      
        
# Export your secret keys
gpg --export-secret-keys --armor [email protected] > master_and_subkeys_backup.asc

# Export your public key
gpg --export --armor [email protected] > public_key_backup.asc

Step 2: Restrict your master key to Certify only

If your master key has signing capability, you should remove it to follow best practices:

Edit your key to restrict capabilities
      
        
gpg --edit-key [email protected]

At the GPG prompt:

gpg> list sec rsa4096/0x3AA5C34371567BD2 created: 2025-04-08 expires: 2027-04-08 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0x4BB6D45482678BE3 created: 2025-04-08 expires: 2026-04-08 usage: E gpg> key 0 gpg> change-usage Changing usage of the primary key. Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Sign Certify (S)ign (C)ertify (E)ncrypt (A)uthenticate gpg> S Disabling "sign" capability. Current allowed actions: Certify gpg> save

Step 3: Add a dedicated signing subkey (if needed)

Add a signing subkey
      
        
gpg --edit-key [email protected]

At the GPG prompt:

gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years 1y Is this correct? (y/N) y Really create? (y/N) y gpg> save

Step 4: Add an authentication subkey (optional)

Add an authentication subkey
      
        
gpg --expert --edit-key [email protected]

At the GPG prompt:

gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 8 Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S)ign (E)ncrypt (A)uthenticate (Q)uit gpg> S Disabling "sign" capability. gpg> E Disabling "encrypt" capability. gpg> A Enabling "authenticate" capability. Current allowed actions: Authenticate gpg> Q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years 1y Is this correct? (y/N) y Really create? (y/N) y gpg> save

Approach 2: Create a New Key with the Optimal Structure

If you prefer to start fresh with an optimal key structure, you can create a new key with the correct configuration from the beginning:

Create a new key with the optimal structure
      
        
gpg --expert --full-generate-key

Follow these steps during the interactive process:

  1. Select option (8) RSA (set your own capabilities)
  2. Toggle capabilities until only Certify remains
  3. Set keysize to 4096 bits
  4. Set expiration to 2-3 years
  5. Enter your user information (name, email, comment)
  6. Create a strong passphrase

Once your master key is created, follow the steps above to add encryption, signing, and authentication subkeys.

If you create a new key and want to transition from your old key, you should:

  1. Sign your new key with your old key to establish trust
  2. Publish your new key to key servers
  3. Notify your contacts of your key transition
  4. Consider creating a transition statement signed by both keys

Note

If you're creating a new key as a replacement for an existing one, it's generally best to keep your old key active during a transition period so you can still decrypt messages sent to it.

Securing Your Master Key

The most important outcome of the master/subkey architecture is that you can keep your master key offline and secure while using only your subkeys for daily operations.

Secure Storage Options

Consider these options for secure master key storage:

Encrypted USB Drive

  • Create an encrypted volume on a USB drive
  • Store your master key (exported from your keyring)
  • Keep the drive in a physically secure location
  • Consider using VeraCrypt or similar for encryption

Air-gapped Computer

  • Use a dedicated computer never connected to the internet
  • Boot from a secure OS like Tails for key operations
  • Transfer operations via USB drives
  • Highest security but more complex workflow

Paper Backup

  • Use paperkey to create a minimal backup
  • Store in a secure physical location
  • Waterproof and fireproof container
  • Emergency recovery option

Exporting Your Master Key

To move your master key offline, you need to:

  1. Export your entire keyring 
          
        
gpg --export-secret-keys --armor [email protected] > master_key_backup.asc
  2. Move this file to your secure storage medium
  3. Create a revocation certificate 
          
        
gpg --gen-revoke --armor [email protected] > revocation_certificate.asc

    Store this separately from your master key for emergency use if your key is compromised.

  4. Remove the master key from your daily-use keyring 
          
        
gpg --export-secret-subkeys [email protected] > subkeys_only.gpg
gpg --delete-secret-keys [email protected]
gpg --import subkeys_only.gpg

    This sequence exports just your subkeys, deletes your entire secret keyring, then imports only the subkeys.

  5. Verify that only subkeys remain 
          
        
gpg --list-secret-keys [email protected]

    You should see a "#" after "sec" indicating the master key is not available.

Security Alert

Once you've removed your master key from your daily-use keyring, you'll need to temporarily import it from your secure storage whenever you need to:

  • Sign someone else's key
  • Add a new subkey
  • Extend the expiration date of existing keys
  • Add or remove user IDs (email addresses)

For all other operations (encrypting, decrypting, signing messages), your subkeys will be sufficient.

Subkey Rotation Practices

A key advantage of the subkey architecture is the ability to rotate keys periodically for enhanced security. Here's a recommended process:

Extending Key Expirations

Before subkeys expire, you should extend their expiration dates:

  1. Import your master key from your secure storage
  2. Edit your key 
          
        
gpg --edit-key [email protected]
  3. Select the key to modify
    gpg> key 1 # Select first subkey
  4. Set a new expiration
    gpg> expire Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y
  5. Repeat for all subkeys using key 1, key 2, etc.
  6. Save your changes
    gpg> save
  7. Remove the master key from your daily-use keyring again
  8. Publish your updated key to key servers

Creating New Subkeys

For maximum security, you may want to periodically create entirely new subkeys:

  1. Import your master key from your secure storage
  2. Revoke the old subkey (optional, but recommended for clarity) 
          
        
gpg --edit-key [email protected]
    gpg> key 1 gpg> revkey
  3. Add new subkeys following the procedures described earlier
  4. Export your updated public key and publish it
  5. Secure your keyring by removing the master key again

Tip

When creating a new encryption subkey, you should keep the old one active for a transition period. This ensures you can still decrypt messages that were encrypted to your old subkey.

For signing and authentication subkeys, transition is simpler as there are no legacy encrypted messages to worry about.

Conclusion

The master/subkey architecture is one of the most powerful features of modern PGP implementations, allowing you to maintain a secure, long-term cryptographic identity while minimizing day-to-day exposure of your critical key material.

By implementing the practices outlined in this module, you've significantly enhanced the security of your PGP setup and reduced the risk of catastrophic key compromise.

In the next module, we'll explore how to further enhance your security by moving your subkeys to a hardware security device like a YubiKey, creating a nearly impenetrable encryption system.

Key Takeaways

  • Master keys establish your cryptographic identity and should be kept secure and offline
  • Subkeys handle daily operations (encryption, signing, authentication) and can be securely stored on your computer or hardware devices
  • The optimal key structure includes a certification-only master key with purpose-specific subkeys
  • Regular subkey rotation enhances security while maintaining your continuous identity
  • Proper backup and storage of all key material is essential for both security and availability

In This Module

Share This Module

Related Modules

YubiKey Hardware Setup

Configure hardware security keys for maximum protection

Key Management Best Practices

Strategies for maintaining and protecting your encryption keys

Air-Gapped Key Operations

Creating and managing keys on isolated systems