If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.
pub 2048R/XXXXXXXX created: 2013-02-09 expires: 2014-02-09 usage: SC
sec 2048R/XXXXXXXX 2013-02-09 [expires: 2014-02-09]
sub 2048R/ZZZZZZZZ created: 2013-02-09 expires: 2014-02-09 usage: E
ssb 2048R/ZZZZZZZZ 2013-02-09 [expires: 2014-02-09]
(Output combined from gpg --list-keys
and gpg --list-secret-keys
)
It's also recommended to not use your master key for regular signing (of mails/data), but to create another signing-only sub-key and remove/backup your master key to a safe and offline location only to be used for key-signing.
This makes sense as most encryption endpoints are laptops/phones or other always-online, mobile devices which put your private keys at risk of theft or loss. With a securely stored master key, you can always revoke such lost sub-keys and never loose your key signatures.
So while the master-key <-> sub-key separation is clear to me, I don't understand why there is this emphasis on separating signing and encryption keys (even if they are both sub-keys).
Can somebody explain why this is necessary or at least what the advantage is from a security or practical perspective?
Technically it's entirely feasible and supported by GnuPG to create a signing AND encrypting sub-key.
pub 2048R/YYYYYYYY created: 2013-08-13 expires: 2014-08-13 usage: SCEA
sub 2048R/VVVVVVVV created: 2013-08-13 expires: 2014-08-13 usage: SEA
Best Answer
In the United Kingdom, the Regulation of Investigatory Powers Act 2000 says
…which means that the UK government may, in some circumstances, be able to compel you to hand over your decryption key (if you're a resident) but they're not allowed to impersonate you with your signing key.