Offline Primary Key
dshaw at jabberwocky.com
Mon Mar 1 19:57:48 CET 2010
On Mar 1, 2010, at 12:20 PM, Phillip Susi wrote:
> I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing. To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed.
> How can I remove ONLY the private part of the primary key, and not the secondary key(s)?
What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do:
gpg --export-secret-subkeys (thekeyid) > my-secondary-keys-only.gpg
Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do:
gpg --export-secret-key (thekeyid) > my-real-secret-key.gpg
gpg --delete-secret-key (thekeyid)
gpg --import my-secondary-keys-only.gpg
(i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy).
Make sure you save my-real-secret-key.gpg in a safe place!
Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip?
More information about the Gnupg-users