How do I delete secret subkeys correctly?

Daniel Kahn Gillmor dkg at
Thu Apr 11 17:29:28 CEST 2019

On Wed 2019-04-10 17:28:54 +0200, Peter Lebbing wrote:
> On 10/04/2019 17:24, Peter Lebbing wrote:
>> gpg> delkey
> Sorry, my fatigued head was being silly. That's for deleting the public
> part, not the secret part. I don't think I know the way to delete the
> secret part when you just want to delete some subkey.

I agree with Peter that delkey doesn't do what you want it to do.

I was trying to figure out how to do it through the user interface, and
it's pretty clunky, with some scary failure modes.  I've opened about it.

I know that with the version of GnuPG that you're using right now, you
can delete the secret key by learning its keygrip and asking gpg-agent
to delete it for you.

Start by getting a snapshot of how GnuPG sees the key:

    gpg --with-keygrip --list-secret-keys "$YOUR_FINGERRINT"

Then take the keygrip of the subkey you care about as $KEYGRIP and do:

    gpg-connect-agent "delete_key $KEYGRIP" /bye

(note that gpg-agent might prompt you about deletion when you do this)

Now you can verify that this worked by running the snapshot again and
comparing it with the earlier run:

    gpg --with-keygrip --list-secret-keys "$YOUR_FINGERPRINT"

The difference should be that you should see a "#" appear after the
"ssb" line that talks about the associated subkey.  the "#" means "no
secret key available."



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list