Skip to main content

GPG keypairs

GPG keys are different from other private keys because each GPG key includes a master key and corresponding subkeys. While there are no technical differences between a master key and subkey, the responsibilities of these keys remain separate to enhance security.

As a best practice, consider that the master key should only be used for creating subkeys, and the subkeys are used for signing.

In the event that a subkey is compromised, this workflow allows you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure.

The identity of the key is associated with the master key; therefore, if the master key is compromised, the identity of the master key and all associated subkeys are compromised and must be revoked and replaced.

Note

The terms GnuPG and GPG should only be used when referring to the tools, not to the output they produce or OpenPGP features they implement.