Offline Primary Key

David Shaw dshaw at
Mon Mar 1 21:37:41 CET 2010

On Mar 1, 2010, at 3:31 PM, Phillip Susi wrote:

> On 3/1/2010 1:57 PM, David Shaw wrote:
>> What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys).  So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do:
> Yes, I meant --delete-secret-key
>>    gpg --export-secret-subkeys (thekeyid)>  my-secondary-keys-only.gpg
>> Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with.  If you want to use it with the same one you just exported from, then do:
>>   gpg --export-secret-key (thekeyid)>  my-real-secret-key.gpg
>>   gpg --delete-secret-key (thekeyid)
>>   gpg --import my-secondary-keys-only.gpg
>> (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy).
> This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey?  Shouldn't it remove exactly what I say and no more?

It has to do with how keys are specified.  In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID.  So if you have a key named "foobar", and the key ID is AAAAAAAA and the subkey ID is BBBBBBBB, you could refer to that key with any of "foobar", "AAAAAAAA", or "BBBBBBBB".  When you say "--delete-secret-key BBBBBBB", you're actually saying delete the whole key.


More information about the Gnupg-users mailing list