Why is there no “Toggle the encrypt capability” when generating master key using ECC vs RSA?
Evaluating switching from RSA to ECC when provisioning YubiKeys.
Noticed that when I run gpg --expert --full-generate-key
and select “ECC (set your own capabilities)”, the “Toggle the encrypt capability” feature is not available (vs when using RSA).
I am trying to generate ECC master key from which I would like to derive signing, encryption and authentication sub-keys.
Why? Thanks for helping out!
Subkeys are not derived from the master key. They are merely signed by the master key, but otherwise have no relationship to it – their capabilities and even algorithms do not need to match.
Indeed that's the whole point of subkeys in PGP. Originally it used a single RSA keypair for everything, but now there is a common saying among cryptography experts that the same key should never be used for different purposes, such as signing and encryption – so eventually the 'subkeys' feature was invented so that signing could be done using one RSA key and encryption using another.
(To some extent, even using the same signing key for network authentication and document certification is not a good idea – even though those are the same thing cryptographically, they're different policy-wise. The "PIV smartcard" mode in your Yubikey has explicitly separate keyslots for these purposes, because they have different PIN requirements.)
So while RSA keypairs in PGP can still have all capability bits at once (for legacy reasons), all other key types are explicitly treated as using different algorithms for signing and encryption – an "ECDSA" (19) or "EdDSA" (22) key can only sign/verify and an "ECDH" (18) key can only encrypt/decrypt. Something similar applies to DSA versus ElGamal.
And because the master key in PGP is used to certify both other people's keys and your own subkeys, it must be a signing-capable algorithm with the certify
capability. For an EC key, this rules out the encryption-capable algorithms.
But as already mentioned, this does not affect subkeys in any way. Once you have the primary key generated, you can add subkeys with any algorithm (for example, even an old RSA primary key could have an Ed25519 signing subkey and a P256 authentication subkey).