Offline Primary Key
dshaw at jabberwocky.com
Mon Mar 1 22:13:33 CET 2010
On Mar 1, 2010, at 4:11 PM, Phillip Susi wrote:
> On 3/1/2010 3:37 PM, David Shaw wrote:
>>> This does the trick, but I still do not understand why
>>> --delete-secret-key removes BOTH the primary and subkey secrets
>>> when I specifically gave only the ID of the subkey? Shouldn't it
>>> remove exactly what I say and no more?
>> It has to do with how keys are specified. In GnuPG, you can specify
>> a key in a number of ways - by name, by (any) fingerprint, and by
>> (any) key ID. So if you have a key named "foobar", and the key ID is
>> AAAAAAAA and the subkey ID is BBBBBBBB, you could refer to that key
>> with any of "foobar", "AAAAAAAA", or "BBBBBBBB". When you say
>> "--delete-secret-key BBBBBBB", you're actually saying delete the
>> whole key.
> Can this be overridden? I thought that is what the ! suffix was for,
> but it still deletes the whole thing.
Not for deletion. There is no way to delete a primary key "in place" while leaving the subkeys intact. Such an ability is very dangerous since if you delete that primary key without a backup, you'll never be able to make more subkeys, issue a revocation certificate, or sign someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key.
More information about the Gnupg-users