gpg – Help Understanding gpg –list-keys Output

gpg

when I run gpg --list-keys I get the following output.

/home/yax/.gnupg/pubring.kbx
----------------------------
pub   rsa2048 2020-10-09 [SC]
      4424C645C99A4C29E540C26AAD7DB850AD9CFFAB
uid           [ultimate] yaxley peaks <epiclycoolgaemer@gmail.com>
sub   rsa2048 2020-10-09 [E]

what is my actual key in this block of text?

How do i get my key id?

what does the [SC] and the [E] mean and what does sub mean?

Here's some info regarding the key.

it was generated with gpg --full-generate-key and i chose the rsa rsa option.
Its 2048 bytes long

Best Answer

what is my actual key in this block of text?

It's not shown. Since this is, as you (correctly) said, an RSA 2048-bit key, your actual public key (which is what --list-keys shows) in hex would be over 500 characters -- about 7 full lines on a typical terminal. Your private key, which for hysterical raisins PGP and GPG calls 'secret', shown by --list-secret-keys, would be even longer, and in addition showing it on a terminal where in some cases a bad person might be able to get a copy of it is extremely bad for security.

How do i get my key id?

4424C645C99A4C29E540C26AAD7DB850AD9CFFAB is the fingerprint. There are two keyids, and except for v3 keys which are long obsolete, both are derived from the fingerprint. The 'short' keyid is the low 32 bits, or last 8 hex digits, of the fingerprint and thus is AD9CFFAB. The 'long' keyid is the low 64 bits, or last 16 hex digits, of the fingerprint and thus is AD7DB850AD9CFFAB. Historically the short keyid was used for almost everything, and most websites, blogs, and much documentation that you find will use and show them, but in the last few years short keyids have been successfully attacked so modern programs now default to either the long keyid or (as here) the fingerprint, but you can add them by specifying --keyid-format=long or --keyid-format=short or the equivalent option in some config file, probably .gnupg/config .

The 2048R/0B2B9B37 you found somewhere is an example of the format used by old versions of GPG. It used a single letter R for RSA, because in the old days there were really one three types of keys (and algorithms) to distinguish while now there are more; and it used the short keyid of 8 hexits.

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

Related Question