How do I delete secret subkeys correctly?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Apr 11 17:29:28 CEST 2019
On Wed 2019-04-10 17:28:54 +0200, Peter Lebbing wrote:
> On 10/04/2019 17:24, Peter Lebbing wrote:
>> gpg> delkey
>
> Sorry, my fatigued head was being silly. That's for deleting the public
> part, not the secret part. I don't think I know the way to delete the
> secret part when you just want to delete some subkey.
I agree with Peter that delkey doesn't do what you want it to do.
I was trying to figure out how to do it through the user interface, and
it's pretty clunky, with some scary failure modes. I've opened
https://dev.gnupg.org/T4457 about it.
I know that with the version of GnuPG that you're using right now, you
can delete the secret key by learning its keygrip and asking gpg-agent
to delete it for you.
Start by getting a snapshot of how GnuPG sees the key:
gpg --with-keygrip --list-secret-keys "$YOUR_FINGERRINT"
Then take the keygrip of the subkey you care about as $KEYGRIP and do:
gpg-connect-agent "delete_key $KEYGRIP" /bye
(note that gpg-agent might prompt you about deletion when you do this)
Now you can verify that this worked by running the snapshot again and
comparing it with the earlier run:
gpg --with-keygrip --list-secret-keys "$YOUR_FINGERPRINT"
The difference should be that you should see a "#" appear after the
"ssb" line that talks about the associated subkey. the "#" means "no
secret key available."
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190411/f96294be/attachment-0001.sig>
More information about the Gnupg-users
mailing list