86

When I list the details of a key I get output like this:

$ gpg --edit-key SOMEID
pub [..] created: [..] expires: [..]   usage:SC
[..]
sub [..] created: [..] expires: [..]   usage: E

Or even usage: SCA on another key (the master-key part).

What does these abbreviation in the usage field mean?

I can derive that:

S -> for signing
E -> for encrypting

But what about C and A?

And are there more?

And where to look stuff like this up?

maxschlepzig
  • 57,532

7 Answers7

88

Ok, the gpg manual does not seem to mention these abbreviations. Thus, one has to look at the source.

For example under Debian/Ubuntu:

$ apt-get source gnupg2
$ cd gnupg2-2.0.17
$ cscope -bR
$ grep 'usage: %' . -r --exclude '*po*'
$ vim g10/keyedit.c
jump to usage: %
jump to definition of `usagestr_from_pk`

From the code one can derive following table:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Constant              Character
───────────────────────────────
PUBKEY_USAGE_SIG      S
PUBKEY_USAGE_CERT     C
PUBKEY_USAGE_ENC      E
PUBKEY_USAGE_AUTH     A
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Thus, for example, usage: SCA means that the sub-key can be used for signing, for creating a certificate and authentication purposes.

maxschlepzig
  • 57,532
28

The layout of the --edit-key listing is not documented (not that I could find anyway). The abbreviations you mention however are, somewhere in the info pages (info gpg).

I searched for S: and found that I actually wanted to search for usage:.

In "GPG Key related Options":

4.2.1 How to change the configuration

These options are used to change the configuration and are usually found in the option file.

'--list-options parameters'

 show-usage

      Show usage information for keys and subkeys in the standard
      key listing.  This is a list of letters indicating the allowed
      usage for a key ('E'=encryption, 'S'=signing,
      'C'=certification, 'A'=authentication).  Defaults to no.

So, doing gpg -k --list-options show-usage 1A3ABKEY will show you something like this:

pub   rsa4096/1A3ABKEY 2015-01-25 [SC]
uid         [ultimate] Some Key
sub   rsa4096/4B907KEY 2015-09-19 [S]
sub   rsa4096/F9A41KET 2015-09-19 [E]

Some more info is found in "Unattended Usage of GPG"

Key-Usage: USAGE-LIST

 Space or comma delimited list of key usages.  Allowed values are
 'encrypt', 'sign', and 'auth'.  This is used to generate the key
 flags.  Please make sure that the algorithm is capable of this
 usage.  Note that OpenPGP requires that all primary keys are
 capable of certification, so no matter what usage is given here,
 the 'cert' flag will be on.  If no 'Key-Usage' is specified and the
 'Key-Type' is not 'default', all allowed usages for that particular
 algorithm are used; if it is not given but 'default' is used the
 usage will be 'sign'.

So, while not immediately apparent, the info is there, somewhere, on your system. If man does not help you, try man -k and/or info.

jeroentbt
  • 381
  • I can see this on the manpage for gpg 1.4.18, however it seems absent from the manual for gpg 2.0.28. Additionally, on both versions, the command "gpg -k --list-options show-usage 1A3ABKEY" outputs "gpg: unknown option `show-usage'" – YoungFrog Oct 17 '15 at 08:28
  • @YoungFrog. Thank you for the comment. I clarified I found the info in the info pages.

    As for the command not working, for me it works on gpg (2.1.8). When I try gpg1 (1.4.19) I do also get gpg: unknown option 'show-usage' gpg: invalid list options Although its usage is documented in the gpg1 info pages...

    – jeroentbt Oct 18 '15 at 18:44
8

Burried deep in the GnuPG mailing-list...

What do the letters to the right of the words "usage" mean?
(S,C,A,E) I can only guess |S|ign, |E|ncrypt, ....

(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)
(A)uthenticate: authenticate yourself to a computer (for example, logging in)
(E)ncrypt: encrypt data

7

These key flags are defined in the OpenPGP spec

5.2.3.21. Key Flags

(N octets of flags)

This subpacket contains a list of binary flags that hold information about a key. It is a string of octets, and an implementation MUST NOT assume a fixed size. This is so it can grow over time. If a list is shorter than an implementation expects, the unstated flags are considered to be zero. The defined flags are as follows:

   First octet:

0x01 - This key may be used to certify other keys.

0x02 - This key may be used to sign data.

0x04 - This key may be used to encrypt communications.

0x08 - This key may be used to encrypt storage.

0x10 - The private component of this key may have been split by a secret-sharing mechanism.

0x20 - This key may be used for authentication.

0x80 - The private component of this key may be in the possession of more than one person.

6

Another info source is the DETAILS file in the GnuPG distribution.

Section "Field 12 - Key capabilities" states

The defined capabilities are:

e
Encrypt
s
Sign
c
Certify
a
Authentication
?
Unknown capability

A key may have any combination of them in any order. 
In addition to these letters, the primary key has uppercase 
versions of the letters to denote the usable capabilities of the entire 
key, and a potential letter ‘D’ to indicate a disabled key.
Claudius B
  • 61
  • 1
  • 3
1
  • 0x01 “C” Key Certification
  • 0x20 “A” Authentication

For more of these key flags see the Key Flag Subpacket section of this article.

Meesha
  • 124
1

It is actually mentioned in gpg man page now in --list-options - show-usage option description.

       --list-options parameters
              This is a space or comma delimited  string  that  gives  options
              used  when  listing  keys  and signatures (that is, --list-keys,
              --check-signatures, --list-public-keys, --list-secret-keys,  and
              the  --edit-key functions).  Options can be prepended with a no-
              (after the two dashes) to give the opposite  meaning.   The  op‐
              tions are:
          ...

          show-usage
                 Show usage information for keys and subkeys in the  stan‐
                 dard  key  listing.  This is a list of letters indicating
                 the allowed usage for  a  key  (E=encryption,  S=signing,
                 C=certification, A=authentication).  Defaults to yes.

          ...

hashlash
  • 123