How are the GPG usage flags defined in the key details listing?
Ok, the gpg manual does not seem to mention these abbreviations. Thus, one has to look at the source.
For example under Debian/Ubuntu:
$ apt-get source gnupg2
$ cd gnupg2-2.0.17
$ cscope -bR
$ grep 'usage: %' . -r --exclude '*po*'
$ vim g10/keyedit.c
jump to usage: %
jump to definition of `usagestr_from_pk`
From the code one can derive following table:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Constant Character ─────────────────────────────── PUBKEY_USAGE_SIG S PUBKEY_USAGE_CERT C PUBKEY_USAGE_ENC E PUBKEY_USAGE_AUTH A ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Thus, for example, usage: SCA
means that the sub-key can be used for signing, for creating a certificate and authentication purposes.
The layout of the --edit-key
listing is not documented (not that I could find anyway). The abbreviations you mention however are, somewhere in the info pages (info gpg
).
I searched for S:
and found that I actually wanted to search for usage:
.
In "GPG Key related Options":
4.2.1 How to change the configuration
These options are used to change the configuration and are usually found in the option file.
'--list-options parameters' show-usage Show usage information for keys and subkeys in the standard key listing. This is a list of letters indicating the allowed usage for a key ('E'=encryption, 'S'=signing, 'C'=certification, 'A'=authentication). Defaults to no.
So, doing gpg -k --list-options show-usage 1A3ABKEY
will show you something like this:
pub rsa4096/1A3ABKEY 2015-01-25 [SC]
uid [ultimate] Some Key
sub rsa4096/4B907KEY 2015-09-19 [S]
sub rsa4096/F9A41KET 2015-09-19 [E]
Some more info is found in "Unattended Usage of GPG"
Key-Usage: USAGE-LIST
Space or comma delimited list of key usages. Allowed values are 'encrypt', 'sign', and 'auth'. This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Note that OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the 'cert' flag will be on. If no 'Key-Usage' is specified and the 'Key-Type' is not 'default', all allowed usages for that particular algorithm are used; if it is not given but 'default' is used the usage will be 'sign'.
So, while not immediately apparent, the info is there, somewhere, on your system. If man
does not help you, try man -k
and/or info
.
These key flags are defined in the OpenPGP spec
5.2.3.21. Key Flags
(N octets of flags)
This subpacket contains a list of binary flags that hold information about a key. It is a string of octets, and an implementation MUST NOT assume a fixed size. This is so it can grow over time. If a list is shorter than an implementation expects, the unstated flags are considered to be zero. The defined flags are as follows:
First octet: 0x01 - This key may be used to certify other keys. 0x02 - This key may be used to sign data. 0x04 - This key may be used to encrypt communications. 0x08 - This key may be used to encrypt storage. 0x10 - The private component of this key may have been split by a secret-sharing mechanism. 0x20 - This key may be used for authentication. 0x80 - The private component of this key may be in the possession of more than one person.