Page MenuHome GnuPG

Delete only private signing key from within gpg (without reimporting subkeys or 'rm ~/.gnupg/private-keys-v1.d/KEYGRIP.key')
Closed, ResolvedPublic

Description

I'm actually unsure if this is a feature request or if I just missed something, so please excuse this question if there is an option for doing what I'm trying to do.

From what I understand it is considered to be good practice to generate a private-public keypair, generate a subkey for encrypting, export all three keys and store/backup them (e.g. using 'paperkey') and then only re-import the public key and the subkey (see https://paul.fawkesley.com/gpg-for-humans-protecting-your-primary-key/ as well as https://riseup.net/en/security/message-security/openpgp/best-practices#only-use-your-primary-key-for-certification-and-possibly-signing-have-a-separate-subkey-for-encryption). In addition keys should have an expiration date (see https://riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years).

To update the expiration date, I currently perform the following steps manually:

gpg --import /PATH/TO/FULL-PRIVATE-KEY.asc
gpg --edit-key BADC0FFE0DDF00D
> expire      # the main key
> 1y          # expire in 1 year
> key 1       # select the first subkey
> key 2       # select the second subkey in addition
> expire      # for both of the subkeys
> y           # perform action on both keys
> 1y          # expire in 1 year
> save

Now I want to delete the imported private main key again. Currently I know of two methods to do that: either

gpg -K BADC0FFE0DDF00D         # here I should see the key
gpg --delete-secret-and-public-keys BADC0FFE0DDF00D
gpg -K BADC0FFE0DDF00D         # now nothing should be visible
gpg --import /PATH/TO/PRIVATE-SUB-KEY.asc /PATH/TO/PUBLIC-KEY.pub

or

gpg -K --with-keygrip BADC0FFE0DDF00D     # copy the keygrip and use it below
rm -i ~/.gnupg/private-keys-v1.d/8BADF00DBEEFCACEDEFEC8EDDEADFA11.key

I dislike both methods: the first one has many steps and requires me to export and then import the (public and sub-)key files, the second one feels kind-of easy-to-get-wrong (you don't get asked for confirmation (ignoring the 'rm -i'), e.g. if that is the correct secret key you are deleting).

Isn't there anything more elegant I could do, like

gpg --delete-only-the-private-signing-key-if-you-have-already-created-other-subkeys BADC0FFE0DDF00D

or something similar? I'd appreciate any ideas!

I'm using Debian Stable (actually PureOS amber, which is based on Debian Stable) and gpg (GnuPG) 2.2.12

ps: I posted this about 2 weeks ago on stackoverflow.com (https://stackoverflow.com/questions/62640509/delete-only-private-signing-key-from-within-gpg-without-reimporting-subkeys-or).

Event Timeline

werner triaged this task as Normal priority.Jul 13 2020, 1:36 PM
werner edited projects, added gnupg (gpg22), FAQ; removed Feature Request.
werner added a subscriber: werner.

To change the expiration date, I would suggest to use

gpg --quick-set-expire  FINGERPRINT \*

which is easier to script. See the man page for details.

For deleting just the primary secret key you can use a regular command; for example:

$ gpg --delete-secret-key 502D1A5365D1C0CAA69945390BA52DF0BAA59D9C\!
sec  nistp256/0BA52DF0BAA59D9C 2010-09-17 ec_dsa_dh_256 <openpgp@brainhub.org>
Note: Only the secret part of the shown primary key will be deleted.
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

Note the exclamation mark at the end of the fingerprint - it forces the use of a specific primary or subkey so that the command does not work on the entire key. The exclamation mark is quoted due to shell requirements. To avoid the confirmation prompts add --batch and --yes. Take care: your version 2.2.12 does not work correctly; we fixed this with 2.2.16 - so better update to the latest version (2.2.21 released last week).

Dear Werner!

Thank you very much for your swift answer! I'll also post this on
stackoverflow.com to get the word out.

werner claimed this task.