What are OpenPGP encryption sub-keys?
OpenPGP keys can be used for signing/verification and for encryption/decryption. Keys to be used for encryption or decryption must have one or more encryption sub-keys. Keys that are only used for signing or verification require only a single master signing key. When an OpenPGP key has multiple encryption sub-keys, each sub-key is valid for a specific, non-overlapping period of time. For example, an OpenPGP key that is valid for 10 years might have 10 encryption sub-keys, each of which is valid for a year.
When you create a key, you can set expiration dates for the master signing key and for each encryption sub-key. The total lifetime of the key is determined by the expiration date of the master signing key. At any time during the lifetime of the key, you can add additional encryption sub-keys.
When a file is encrypted using the key, OpenPGP uses the currently-valid encryption sub-key. Encryption sub-keys added after you have distributed a public key to your trading partners are obviously not available and, therefore, cannot be used by your trading partner's OpenPGP product to encrypt files.
Adding an encryption sub-key does not affect the master signing key. If you have given the public key from a key pair to trading partners for use in the verification/authentication of files sent by you, this key can still be used for verification/authentication of files even if no encryption sub-keys are currently valid.
What are the benefits of using multiple OpenPGP encryption sub-keys?
Creating multiple encryption sub-keys for an OpenPGP key pair allows you to transparently change the encryption key used in transactions on a pre-defined schedule without reissuing new public keys to your trading partners.
Regularly changing the sub-key used to encrypt files makes your key much more secure, as anyone trying to attack your key must break the algorithm used by the currently-valid sub-key. Generally, the more often you change your encryption sub-key the more secure your key will be.
When you use OpenPGP keys for transactions with trading partners, you open up a potential security risk each time you must send them a new key. Plus, once your public key has been safely distributed to your partners and is considered 'trusted', a lot of effort may be required to create that same level of trust for a new key.
How do I create an OpenPGP key pair with multiple encryption sub-keys?
To maximize the benefits of using sub-keys, we recommend:
- Create a master signing key that does not expire. Even if you believe that you will stop using the key after a known period of time, setting the expiration date to 'never' means that you can change your mind should your business needs evolve.
- Create a set of encryption sub-keys that cover the ENTIRE PERIOD that you reasonably expect to use the master key. If you expect to use the key for 5 years, you may want to create 10 sub-keys each valid for consecutive 6 month periods or 20 keys for consecutive 3 month periods.
- Create a final encryption sub-key that never expires to ensure that, if necessary, you can continue to use the key pair beyond the period you initially expected.
- Extract a public key from your new key and distribute it to your trading partners. You get the benefit of new encryption keys every 3 to 6 months, without the hassle of redistributing keys to all of your partners!