Offline Primary Key

David Shaw dshaw at
Mon Mar 1 22:13:33 CET 2010

On Mar 1, 2010, at 4:11 PM, Phillip Susi wrote:

> On 3/1/2010 3:37 PM, David Shaw wrote:
>>> This does the trick, but I still do not understand why
>>> --delete-secret-key removes BOTH the primary and subkey secrets
>>> when I specifically gave only the ID of the subkey?  Shouldn't it
>>> remove exactly what I say and no more?
>> It has to do with how keys are specified.  In GnuPG, you can specify
>> a key in a number of ways - by name, by (any) fingerprint, and by
>> (any) key ID.  So if you have a key named "foobar", and the key ID is
>> AAAAAAAA and the subkey ID is BBBBBBBB, you could refer to that key
>> with any of "foobar", "AAAAAAAA", or "BBBBBBBB".  When you say
>> "--delete-secret-key BBBBBBB", you're actually saying delete the
>> whole key.
> Can this be overridden?  I thought that is what the ! suffix was for,
> but it still deletes the whole thing.

Not for deletion.  There is no way to delete a primary key "in place" while leaving the subkeys intact.  Such an ability is very dangerous since if you delete that primary key without a backup, you'll never be able to make more subkeys, issue a revocation certificate, or sign someone elses key.  The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key.


More information about the Gnupg-users mailing list