How do I delete secret subkeys correctly?

Peter Lebbing peter at digitalbrains.com
Thu Apr 11 16:26:55 CEST 2019


On 11/04/2019 16:06, Matheus Afonso Martins Moreira wrote:
> Public key list confirmed deletion of the subkeys from my public key
> but the secret key list still included all my revoked subkeys.

Could you provide an example? I find this rather surprising, that -K
would ever list more than -k.

> The public key packets were promptly redownloaded and reintegrated
> into the keyring when I searched for my user ID.

Yes, that is expected behaviour. You can't delete stuff from the
keyserver, and everything that is valid will be incorporated into your
copy when you fetch it.

> I don't understand why --edit-keys would work now,

I cannot reproduce this on Debian stable with 2.1.18. I think you might
be misinterpreting the result, so I've built a step by step "lack of
reproduction" with comments.

What might be misleading: you say you are dealing with revoked subkeys.
Unless you specify "--list-options show-unusable-subkeys", you might not
see those in the keylistings even though they are there.

--8<---------------cut here---------------start------------->8---
$ gpg --with-keygrip -K 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
sec   rsa3072 2019-04-11 [SC] [expires: 2021-04-10]
      8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
      Keygrip = 97A3F4843F1B7669524F066472CFA935F23D7574
uid           [  undef ] Testkey
ssb   rsa3072 2019-04-11 [E] [expires: 2021-04-10]
      Keygrip = 6D610FB78404E0C80954BB993E3410ED9FA463A6
--8<---------------cut here---------------end--------------->8---

The gpg binary only deals with public keys in the keyring directly.
Secret keys are delegated to gpg-agent, and gpg-agent works with
keygrips only, so to take a closer look we need the keygrip. Note that
the subkey above starts with the word "ssb" without a suffix, indicating
this is an available key. If the secret part were not available, it
would say "ssb#". So we expect that if we query the gpg-agent directly,
it will hold that key.

--8<---------------cut here---------------start------------->8---
$ gpg-connect-agent 
> keyinfo 6D610FB78404E0C80954BB993E3410ED9FA463A6
S KEYINFO 6D610FB78404E0C80954BB993E3410ED9FA463A6 D - - - P - - -
OK
> /bye
--8<---------------cut here---------------end--------------->8---

It does. I'm exporting the public key now to be able to do something
similar to "fetching from the keyserver".

--8<---------------cut here---------------start------------->8---
$ gpg -o test.gpg --export 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
File 'test.gpg' exists. Overwrite? (y/N) y
--8<---------------cut here---------------end--------------->8---

Let's delete that pesky subkey with delkey.

--8<---------------cut here---------------start------------->8---
$ gpg --edit-key 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/0D72EEEAA1274AE5
     created: 2019-04-11  expires: 2021-04-10  usage: SC  
     trust: never         validity: undefined
ssb  rsa3072/E7ED2961F743E804
     created: 2019-04-11  expires: 2021-04-10  usage: E   
[  undef ] (1). Testkey

gpg> key 1

sec  rsa3072/0D72EEEAA1274AE5
     created: 2019-04-11  expires: 2021-04-10  usage: SC  
     trust: never         validity: undefined
ssb* rsa3072/E7ED2961F743E804
     created: 2019-04-11  expires: 2021-04-10  usage: E   
[  undef ] (1). Testkey

gpg> delkey
Do you really want to delete this key? (y/N) y

sec  rsa3072/0D72EEEAA1274AE5
     created: 2019-04-11  expires: 2021-04-10  usage: SC  
     trust: never         validity: undefined
[  undef ] (1). Testkey

gpg> save
--8<---------------cut here---------------end--------------->8---

I'm immediately suspicious. If it would have deleted the secret part,
I'd have expected a popup from gpg-agent asking me if I was sure about
that. I got no popup. Let's see whether we still have the secret key
available (with the keygrip).

--8<---------------cut here---------------start------------->8---
$ gpg-connect-agent
> keyinfo 6D610FB78404E0C80954BB993E3410ED9FA463A6
S KEYINFO 6D610FB78404E0C80954BB993E3410ED9FA463A6 D - - - P - - -
OK
> /bye
--8<---------------cut here---------------end--------------->8---

Yep, the secret key material is still in our GnuPG homedir. Let's look
at gpg -K and then re-import the public stuff.

--8<---------------cut here---------------start------------->8---
$ gpg -K 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
sec   rsa3072 2019-04-11 [SC] [expires: 2021-04-10]
      8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
uid           [  undef ] Testkey

$ gpg --import test.gpg 
gpg: key 0D72EEEAA1274AE5: "Testkey" 1 new signature
gpg: key 0D72EEEAA1274AE5: "Testkey" 1 new subkey
gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 1
$ gpg -K 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
sec   rsa3072 2019-04-11 [SC] [expires: 2021-04-10]
      8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
uid           [  undef ] Testkey
ssb   rsa3072 2019-04-11 [E] [expires: 2021-04-10]
--8<---------------cut here---------------end--------------->8---

Ah yes. We now have the secret key "back" as well even though it is
definitely not part of test.gpg. It says "ssb", we can use it.

I know how to delete the secret subkey, but I don't know how to do it in
a user-friendly way. Let's chat to our gpg-agent again.

--8<---------------cut here---------------start------------->8---
$ gpg-connect-agent
> delete_key 6D610FB78404E0C80954BB993E3410ED9FA463A6
OK
> /bye
$ gpg -K 8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
sec   rsa3072 2019-04-11 [SC] [expires: 2021-04-10]
      8CD9B759DBA3DC2EBEAA31B40D72EEEAA1274AE5
uid           [  undef ] Testkey
ssb#  rsa3072 2019-04-11 [E] [expires: 2021-04-10]
--8<---------------cut here---------------end--------------->8---

Ah, look. This time when we invoked gpg -K, it is now correctly
indicating that we have deleted the secret part of that subkey, but we
still have the public part. It indicates knowledge of the existence of
the subkey, but it is marked as "ssb#" this time around, meaning we
don't have the secret key material anymore. So I /have/ answered your
question "how do I delete the secret subkey", but I can only do it by
fiddling with the agent directly rather than through the gpg binary.

I hope this helps your understanding!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190411/3a073534/attachment.sig>


More information about the Gnupg-users mailing list