Offline Primary Key

David Shaw dshaw at
Mon Mar 1 19:57:48 CET 2010

On Mar 1, 2010, at 12:20 PM, Phillip Susi wrote:

> I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing.  To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed.
> How can I remove ONLY the private part of the primary key, and not the secondary key(s)?

What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys).  So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do:

   gpg --export-secret-subkeys (thekeyid) > my-secondary-keys-only.gpg

Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with.  If you want to use it with the same one you just exported from, then do:

  gpg --export-secret-key (thekeyid) > my-real-secret-key.gpg
  gpg --delete-secret-key (thekeyid)
  gpg --import my-secondary-keys-only.gpg

(i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy).

Make sure you save my-real-secret-key.gpg in a safe place!

Didn't someone write a nice HOWTO about offline private keys at one point?  I thought there was one out there, but can't find it at the moment.  Can anyone post the URL for Philip?


More information about the Gnupg-users mailing list