Page MenuHome GnuPG
Create Task
Maniphest T4993

Delete only private signing key from within gpg (without reimporting subkeys or 'rm ~/.gnupg/private-keys-v1.d/KEYGRIP.key')
Closed, ResolvedPublic
Actions

Description

I'm actually unsure if this is a feature request or if I just missed something, so please excuse this question if there is an option for doing what I'm trying to do.

From what I understand it is considered to be good practice to generate a private-public keypair, generate a subkey for encrypting, export all three keys and store/backup them (e.g. using 'paperkey') and then only re-import the public key and the subkey (see https://paul.fawkesley.com/gpg-for-humans-protecting-your-primary-key/ as well as https://riseup.net/en/security/message-security/openpgp/best-practices#only-use-your-primary-key-for-certification-and-possibly-signing-have-a-separate-subkey-for-encryption). In addition keys should have an expiration date (see https://riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years).

To update the expiration date, I currently perform the following steps manually:

gpg --import /PATH/TO/FULL-PRIVATE-KEY.asc
gpg --edit-key BADC0FFE0DDF00D
> expire      # the main key
> 1y          # expire in 1 year
> key 1       # select the first subkey
> key 2       # select the second subkey in addition
> expire      # for both of the subkeys
> y           # perform action on both keys
> 1y          # expire in 1 year
> save

Now I want to delete the imported private main key again. Currently I know of two methods to do that: either

gpg -K BADC0FFE0DDF00D         # here I should see the key
gpg --delete-secret-and-public-keys BADC0FFE0DDF00D
gpg -K BADC0FFE0DDF00D         # now nothing should be visible
gpg --import /PATH/TO/PRIVATE-SUB-KEY.asc /PATH/TO/PUBLIC-KEY.pub

or

gpg -K --with-keygrip BADC0FFE0DDF00D     # copy the keygrip and use it below
rm -i ~/.gnupg/private-keys-v1.d/8BADF00DBEEFCACEDEFEC8EDDEADFA11.key

I dislike both methods: the first one has many steps and requires me to export and then import the (public and sub-)key files, the second one feels kind-of easy-to-get-wrong (you don't get asked for confirmation (ignoring the 'rm -i'), e.g. if that is the correct secret key you are deleting).

Isn't there anything more elegant I could do, like

gpg --delete-only-the-private-signing-key-if-you-have-already-created-other-subkeys BADC0FFE0DDF00D

or something similar? I'd appreciate any ideas!

I'm using Debian Stable (actually PureOS amber, which is based on Debian Stable) and gpg (GnuPG) 2.2.12

ps: I posted this about 2 weeks ago on stackoverflow.com (https://stackoverflow.com/questions/62640509/delete-only-private-signing-key-from-within-gpg-without-reimporting-subkeys-or).

Details

External Link
https://stackoverflow.com/questions/62640509/delete-only-private-signing-key-from-within-gpg-without-reimporting-subkeys-or
Version
2.2.12

Event Timeline

n0542344 created this task.Jul 13 2020, 9:50 AM
werner triaged this task as Normal priority.Jul 13 2020, 1:36 PM
werner edited projects, added gnupg (gpg22), FAQ; removed Feature Request.
werner added a subscriber: werner.

To change the expiration date, I would suggest to use

gpg --quick-set-expire  FINGERPRINT \*

which is easier to script. See the man page for details.

For deleting just the primary secret key you can use a regular command; for example:

$ gpg --delete-secret-key 502D1A5365D1C0CAA69945390BA52DF0BAA59D9C\!
sec  nistp256/0BA52DF0BAA59D9C 2010-09-17 ec_dsa_dh_256 <openpgp@brainhub.org>
Note: Only the secret part of the shown primary key will be deleted.
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

Note the exclamation mark at the end of the fingerprint - it forces the use of a specific primary or subkey so that the command does not work on the entire key. The exclamation mark is quoted due to shell requirements. To avoid the confirmation prompts add --batch and --yes. Take care: your version 2.2.12 does not work correctly; we fixed this with 2.2.16 - so better update to the latest version (2.2.21 released last week).

n0542344 added a comment.Jul 14 2020, 11:39 AM

Dear Werner!

n0542344 added a comment.Jul 14 2020, 11:49 AM

Dear Werner!

Thank you very much for your swift answer! I'll also post this on
stackoverflow.com to get the word out.

werner closed this task as Resolved.Aug 24 2020, 7:49 AM
werner claimed this task.