Diplomat Enterprise Edition provides advanced features for creating multiple encryption subkeys. Creating multiple encryption subkeys for a private key pair allows you to painlessly change your encryption key -- for improved security -- without reissuing new public keys to your trading partners.

Overview of Subkeys

OpenPGP keys can be used for signing/verification and for encryption/decryption. Keys that are only used for signing/verification have only a single master signing key.  Keys to be used for encryption/decryption must also have at least one encryption subkey.  When you create a new OpenPGP key, you must specify whether the key will only be used for signing/verification.  If not, an encryption subkey will be created.

When you create a key, you can set expiration dates for the master signing key and for each encryption subkey.  The total lifetime of the key is determined by the expiration date of the master signing key.  At any time during the lifetime of the key, you can add additional encryption subkeys.

When a file is encrypted using the key, OpenPGP uses the currently-valid encryption subkey. Encryption subkeys added after you have distributed a public key to your trading partners are obviously not available and, therefore, cannot be used by your trading partner's OpenPGP product to encrypt files.

Adding an encryption subkey does not affect the master signing key. If you have given the pubic key from a key pair to trading partners for use in the verification/ authentication of files sent by you, this key can still be used for verification/authentication of files even if no encryption subkeys are currently valid.

Benefits of Using Subkeys

Regularly changing the subkey used to encrypt files makes your key much more secure, as anyone trying to attack your key must break the algorithm used by the currently-valid subkey.  Generally, the more often you change your encryption subkey the more secure your key will be.

When you use OpenPGP keys for transactions with trading partners, you open up a potential security risk each time you must send them a new key. Plus, once your public key has been safely distributed to your partners and is considered 'trusted', a lot of effort is required to create that same circle of trust for a new key.

How To Set Up Subkeys

To maximize the benefits of using subkeys, we recommend:

• Create a master signing key that does not expire. 

Even if you believe that you will stop using the key after a known period of time, setting the expiration date to 'never' means that you can change your mind should your business needs evolve. 

• Create a set of encryption subkeys that cover the ENTIRE PERIOD that you reasonably expect to use the master key. 

If you expect to use the key for 5 years, you may want to create 10 subkeys each valid for consecutive 6 month periods or 20 keys for consecutive 3 month periods. 

• Extract a public key from your new key and distribute it to your trading partners.

You get the benefit of new encryption keys every 3 to 6 months, without the hassle of redistributing keys to all of your partners!