Why does GPG not decrypt with all subkeys

encryptiongnupg

I have multiple subkeys for signing and encryption. Here is my public and private key list.

jeremy@localhost ~ 
$ gpg -k
/home/jeremy/.gnupg/pubring.gpg
-------------------------------
pub   4096R/35E40FA7 2015-04-14
uid                  keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>
uid                  Jeremy Fortune <jeremytwfortune@gmail.com>
uid                  Jeremy Fortune <jeremy.fortune@uvmhealth.org>
sub   2048R/73671EAD 2015-04-14 [expires: 2023-04-12]
sub   2048R/0690427C 2015-04-14 [expires: 2023-04-12]
sub   4096R/AEE9FB5F 2015-12-06 [expires: 2025-12-03]
sub   4096R/757D1A1D 2015-12-06 [expires: 2025-12-03]
sub   2112R/9B5BAC36 2015-12-06 [expires: 2025-12-03]
sub   4096R/5A8F548A 2015-12-06 [expires: 2025-12-03]


jeremy@localhost ~ 
$ gpg -K
/home/jeremy/.gnupg/secring.gpg
-------------------------------
sec   4096R/35E40FA7 2015-04-14
uid                  keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>
ssb   2048R/73671EAD 2015-04-14
ssb   2048R/0690427C 2015-04-14

When I encrypt a message to myself, the newest encryption key (9b5bac36) is used. This would seem fine since it's a subkey, but when decrypting, gpg is still only looking for exactly that private key. It doesn't even attempt to use 0690427c.

jeremy@localhost ~ 
$ echo -e "\nAn encrypted message." | gpg -vver 35e40fa7 | gpg -vvd
gpg: using subkey 9B5BAC36 instead of primary key 35E40FA7
gpg: using PGP trust model
gpg: key 35E40FA7: accepted as trusted key 
gpg: checking the trustdb
gpg: 1 keys cached (11 signatures)
gpg: 1 keys processed (0 validity counts cleared)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: This key belongs to us
gpg: reading from `[stdin]'
gpg: writing to stdout
gpg: RSA/AES256 encrypted for: "9B5BAC36 keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>"
:pubkey enc packet: version 3, algo 1, keyid 743409AA9B5BAC36
        data: [2111 bits]
gpg: public key is 9B5BAC36
:encrypted data packet:
        length: 76
        mdc_method: 2
gpg: using subkey 9B5BAC36 instead of primary key 35E40FA7
gpg: encrypted with 2112-bit RSA key, ID 9B5BAC36, created 2015-12-06
      "keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>"
gpg: decryption failed: secret key not available

When I revoke the newer encryption keys, everything works as expected.

jeremy@localhost ~
$ gpg -k
/home/jeremy/.gnupg/pubring.gpg
-------------------------------
pub   4096R/35E40FA7 2015-04-14
uid                  keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>
uid                  Jeremy Fortune <jeremytwfortune@gmail.com>
uid                  Jeremy Fortune <jeremy.fortune@uvmhealth.org>
sub   2048R/73671EAD 2015-04-14 [expires: 2023-04-12]
sub   2048R/0690427C 2015-04-14 [expires: 2023-04-12]
sub   4096R/AEE9FB5F 2015-12-06 [expires: 2025-12-03]
sub   4096R/5A8F548A 2015-12-06 [expires: 2025-12-03]

jeremy@localhost ~
$ echo -e "\nAn encrypted message." | gpg -vver 35e40fa7 | gpg -vvd
gpg: using subkey 0690427C instead of primary key 35E40FA7
gpg: using PGP trust model
gpg: key 35E40FA7: accepted as trusted key
gpg: This key belongs to us
gpg: reading from `[stdin]'
gpg: writing to stdout
gpg: RSA/AES256 encrypted for: "0690427C keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>"
:pubkey enc packet: version 3, algo 1, keyid 60A3F13E0690427C
        data: [2045 bits]
gpg: public key is 0690427C
gpg: no secret subkey for public subkey AEE9FB5F - ignoring
gpg: no secret subkey for public subkey 5A8F548A - ignoring
gpg: using subkey 0690427C instead of primary key 35E40FA7

You need a passphrase to unlock the secret key for
user: "keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>"
gpg: using subkey 0690427C instead of primary key 35E40FA7
2048-bit RSA key, ID 0690427C, created 2015-04-14 (main key ID 35E40FA7)
gpg: gpg-agent is not available in this session
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: 76
        mdc_method: 2
gpg: encrypted with 2048-bit RSA key, ID 0690427C, created 2015-04-14
      "keybase.io/jeremytwfortune <jeremytwfortune@keybase.io>"
gpg: AES256 encrypted data
:compressed packet: algo=1
:literal data packet:
        mode b (62), created 1458172973, name="",
        raw data: 23 bytes
gpg: original file name=''

An encrypted message.
gpg: decryption okay

But, of course, this is because it's now encrypting with 0690427c. Can I really only have one encryption subkey? If not, do I have to keep all of the secret subkeys on every machine?

Best Answer

Implementations of OpenPGP (including GnuPG) will by default choose the newest valid encryption (sub)key and encrypt using this. There is no way to define that a given subkey is somehow bound to a given computer or user ID in OpenPGP, nor can you enforce encryption is performed for all valid encryption keys.

One can very well manually choose the key to be used for encryption with GnuPG by using the key ID of choice as recipient, but followed by !. For example, given there is an older encryption subkey DEADBEEF, and you want to override the default of using another, newer encryption subkey:

gpg --recipient DEADBEEF! --encrypt

If the ! is omitted, GnuPG resolves the key ID to the primary key instead, and chooses the newest matching subkey again. Using the same method, you can enforce use of the primary key (if it has the encryption capability set).

If you want to use encryption different keys on different computers, you will have to use different primary keys. This is one of the major shortcomings of OpenPGP.

About Primary Keys and Subkeys

The master key (like the private key) was used to sign data that only the subkey (the public key) could decrypt, but the subkey (the public key) could only encrypt data, which could then only be decrypted by the master key (the private key). Am I correct in this assumption, or are they 2 separate key-pairs altogether?

You haven't got the concepts of public/private key (also called assymetric) cryptography quite right. Each set of public and private keys is split, you publish the public key so others can use it and keep the private key private. Signatures issued by the private key can be verified through the public key, messsages encrypted using the public key can be decrypted with the private key. There is no immediate relationship between primary key and subkey pairs in OpenPGP, these are completely different key pairs.

Is it just GnuPG that uses this method, where a subkey is created automatically for encryption, or is this mandated by the OpenPGP protocol?

The default setup in GnuPG is you have a primary key pair used for certification and signatures, while the encryption subkey is used for encryption only. Using RSA, you could also generate primary keys supporting all those operations (and with GnuPG and the --expert flag, you can!). This is mostly because of other algorithms like DSA and Elgamal, which only support one of the operations (DSA is for signing only, Elgamal for encryption) where you need to have different keys.

There is also some advantage in having different keys for different usages: consider a flaw is found that allows to calculate a private key from signatures under certain conditions. While your signing key would be targeted, the encryption subkey is another one and not targeted by this attack. Some people even consider restricting the primary key to certification only and adding two subkey pairs is best practice, one for signing, one for encryption.

Binding Signatures

If they are 2 separate key-pairs, what mathematically binds the subkey to the master key?

In OpenPGP, a special kind of binding signature is issued when a subkey is created. Subkeys capable of signing can also issue such a binding signature on the primary key. Those special signature are defined in RFC 4880, OpenPGP, 5.2.1. Signature Types:

   0x18: Subkey Binding Signature
       This signature is a statement by the top-level signing key that
       indicates that it owns the subkey.  This signature is calculated
       directly on the primary key and subkey, and not on any User ID or
       other packets.  A signature that binds a signing subkey MUST have
       an Embedded Signature subpacket in this binding signature that
       contains a 0x19 signature made by the signing subkey on the
       primary key and subkey.

   0x19: Primary Key Binding Signature
       This signature is a statement by a signing subkey, indicating
       that it is owned by the primary key and subkey.  This signature
       is calculated the same way as a 0x18 signature: directly on the
       primary key and subkey, and not on any User ID or other packets.

Addressing Subkeys in GnuPG

When I upload a key to a keyserver, which key is uploaded, my master key or the subkey? Or both?

When I use the --export function, which OpenPGP key is exported when I specify my UID?

Usually, in GnuPG key IDs and UIDs are always resolved to the primary key. All export operations (and uploading to a keyserver is also considered an export) also export the subkeys, user IDs and certifications on your key. Similar things exist for other operations like signing and encrypting. If you really want to denote a subkey for operations, you have to add ! behind the subkey (eg. gpg --recipient 0xDEADBEEF! --encrypt).

Best Answer

Related Solutions

How GPG generates an MD5 fingerprint given a public key

The relationship between an OpenPGP key and its subkey

About Primary Keys and Subkeys

Binding Signatures

Addressing Subkeys in GnuPG

Related Question