SUB-KEYS AND "WEB OF TRUST" IN GNUPG

Whether you believe it or not PGP-SubKeys are very essential to GnuPG's arsenal. Now eventhough as a beginner you might think that you do not need it, but if you are willing to learn about SUBKEYS then it will supercharge your GnuPG-usage to a new level.

OK so what are SUBKEYS ???

Well my friend; they are essentially "Secondary PGP-keys" that are bound to the "Primary PGP-key" that you generated.

Let's say that you generated a brand-new PGP-key [Let's assume you created a PGP-key of type "RSA & RSA" or "ECC (sign and encrypt)"; which I recommended you folks to make ;-)], it automatically creates a SUBKEY which is used whenever you want to encrypt files/messages. Now if you take a closer look at the so-called "SUBKEY" it will have a different IDENTIFIER, eventhough the rest of the FINGERPRINT will be the same.

As an example; in our previous articles we created a PGP-Key with the the FINGERPRINT ↴↴

1234 ABCD 5678 EFGH 9101 1IJK 1213 LMNO 1415 PQRS 
Here "1213LMNO1415PQRS" is the IDENTIFIER. which is the last 12 characters of the FINGERPRINT

Now in case of a SUBKEY they would have a different IDENTIFIER, but the rest of the FINGERPRINT before it will remain the same

"17TU18VW19XY20ZZ" is the IDENTIFIER of the SUBKEY, so the FINGERPRINT of the SUBKEY would be:
1234 ABCD 5678 EFGH 9101 1IJK 17TU 18VW 19XY 20ZZ

Notice that ONLY the "IDENTIFIERS" are different ?
Well, this should tell you that the PGP-SubKey is BOUND to the MAIN/PRIMARY/MASTER-PGP-Key. Well guess what; you can create as many SUBKEYS as you want & use them for different purposes, individually.


Remember that SUBKEYS are usually single-purpose [As in they can be "SIGN-ONLY" or "ENCRYPT-ONLY" as an example] & since they are bound to the "PRIMARY PGP-KEY" [AKA a "Master-Key"] if you delete the PRIMARY-KEY then the SUBKEYS may become inacessible, unless you properly manage them.

So let's talk about ACTUALLY generating a PGP-SubKey ↴↴↴↴↴

It is basically similar to the steps taken to generate your PRIMARY/MASTER PGP-Key, except there is just with one big difference, here you will have to use the "GnuPG KEY-EDIT Menu". Anyways the steps are as given below ↴
  1. SELECT THE PRIMARY PGP-KEY:

    2. Now here all you need to do is select the "PRIMARY PGP-Key" in order to get started. To do just that, you will have to type the following command: 

    gpg --edit-key KEY_FINGERPRINT
		OR 
gpg --edit-key 0xKEY_IDENTIFIER

    Basically this will activate an "EDIT-MENU" for that particular PRIMARY PGP-key.

  2. GENERATE THE SUBKEYS:

    3. This is similar to when you generated your PRIMARY PGP-key, except here all you have to is ↴

    1. Select the SUBKEY-Type
    2. Select the Expiry-Date of the SUBKEY

    Here you might have have noticed that SUBKEYS can either be "sign-only" or "encrypt-only". Hence; Single-Purpose. Yes, you can create as many SUBKEYS as you want for singular purposes, like you can make a SUBKEY that you only use for signing, another for verification & another just for encrypting.

  3. SHARING SUBKEYS (INSTEAD OF PRIMARY-KEY):

    4. Think of this as an "EXTRA TIP"

    Well you REALLY CANNOT export the PUBLIC-PART of the SUBKEYS [But you CAN export the PRIVATE-PART of the SUBKEYS, but that is just to transfer to another computer UNDER YOUR YOUR CONTROL] the same way as that of the PRIMARY PGP-Keys.
    But you can try it anyways. However; it will show the FINGERPRINT or the IDENTIFIER of your PRIMARY PGP-Key [As well as the USER-ID of your PRIMARY PGP-Key] when someone imports your SUBKEYS. 

    gpg --export -a 0xSUBKEY_IDENTIFIER > FILE_NAME.asc

    Now the result of that command may be as shown below:- 

    gpg: key 1213LMNO1415PQRS: public key "MyAwesomeKey (personal) <coolperson@proton.me>" imported
gpg: Total number processed: 1
gpg:			   imported: 1

    If you have already imported ANY of the SUBKEYS that belong to the PRIMARY PGP-Key then it may show as "unchanged":- 

    gpg: key 1213LMNO1415PQRS: public key "MyAwesomeKey (personal) <coolperson@proton.me>" not changed
gpg: Total number processed: 1
gpg:			  unchanged: 1

    REMINDER; the FINGERPRINT shown belongs to the PRIMARY PGP-Key the SUBKEY is bound to, it is not that big of a deal, but I thought that you should know ;-)

The "WEB OF TRUST" ↴↴↴

Funny enough this topic is not discussed enough apparently, I could be wrong though. This is a "decentralized trust-system" which is built on SIGNATURES that users make on the collection of PUBLIC-KEYS that they maintain, which is also known as the "KEY-RING".
Here each SIGNATURE means that the user that signs the PGP-key is acknowledging the ownership of a user's PRIVATE-KEY.
There are mainly 4 levels of trust if I am not wrong in GnuPG: A PGP-key is considered valid if it's signed by enough valid PGP-keys You can also have different parameters of your trust-models. This model allows for more granular control and customization, including adjustable thresholds for marginal and fully trusted keys. So in order to sign a key you can do the following

gpg --sign-key KEY_ID
		OR 
gpg --sign-key -u YOUR_EMAIL_ID OTHER_KEY_ID

Now this is a shortcut to the "GnuPG's EDIT-KEY" command & if you use the EDIT-KEY option then the "sign"-sub-command then the output might look like this

gpg --edit-key 1213LMNO1415PQRS
		
After selecting a key to sign you use the following command while being in the "GPG EDIT-MENU"	
	
gpg> sign

Reminder that you select the PGP-key that you WANT TO SIGN via the "GnuPG EDIT-MENU". Notice that "gpg>" is the indicator that you are in the "GnuPG EDIT-MENU".

Well, thank you for reading through this collection of article of mine. Who knows this article might get upgraded in the future & I hope you learned something useful about GnuPG/GPG & I hope that I was able to teach you about GnuPG to some extent ♥