Home

subkey

A subkey is a cryptographic key derived from a primary or master key within a public-key infrastructure. Subkeys are designed to handle specific tasks and can have their own lifetimes and revocation statuses, separate from the primary key. This separation supports improved security and operational flexibility.

In OpenPGP and similar systems, a user’s key bundle typically includes a primary key used to certify

The use of subkeys offers several advantages. They enable key rotation without reestablishing trust for the

Management considerations include tracking subkeys within a keyring, understanding their capabilities (such as sign, encrypt, or

identities
and
one
or
more
subkeys
used
for
practical
cryptographic
operations.
Subkeys
may
be
designated
for
encryption,
signing,
or
authentication,
and
each
subkey
can
have
its
own
expiration
date.
The
primary
key
often
remains
offline
or
in
a
secure
device
to
limit
exposure,
while
subkeys
are
used
in
daily
activities.
entire
identity,
reduce
risk
if
a
subkey
is
compromised,
and
support
different
hardware
or
environments
by
distributing
subkeys
to
separate
devices
or
operators.
Subkeys
can
be
revoked
independently
of
the
primary
key,
allowing
rapid
response
to
incidents
without
affecting
the
core
identity.
authenticate),
and
ensuring
proper
backups
and
revocation
data.
Tools
that
manage
public-key
infrastructures,
like
GnuPG,
typically
provide
facilities
to
create,
assign,
rotate,
revoke,
and
inspect
subkeys
and
their
relationships
to
the
primary
key.