Create GPG Primary Key

It's common to delete a primary key once you had back them up and no longer in use in the local system. This section guides you on how to delete the primary key.

Before we start, it is important to note that if you're no longer using the published primary key, you should publish its revocation certificate before deletion. You should still backup that key for a period of time (e.g. 5 years) for your known trustees to propagate the changes.

Deleting Primary Key

Once done, it's time to create sub-keypairs.

Identify Your Primary Key ID

We start off by obtaining your primary key ID and the targeted sub-key. This is by using the following command and find your key:

gpg --list-secret-keys

Example:

$ gpg --list-secret-keys 
...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith <john.smith@company.com>
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb   rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb   cv25519 2020-01-10 [E] [expires: 2022-01-09]

In the example above,

  1. The primary key ID is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to export.


Delete Your Primary Key

Next, use the --delete-secret-and-public-keys <ID> argument to delete your primary key. If the key does not have any secret key, GnuPG will proceed to delete the public key.

You'll be prompted numerously for deleting the keys. Here's the full command:

$ gpg --delete-secret-and-public-keys <ID>

The output looks similar to the following:

$ gpg --delete-secret-and-public-keys AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa4096/66F2E45747AB2C90 2020-01-10 "Shotgun" John, Smith <john.smith@company.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
pub  rsa4096/66F2E45747AB2C90 2020-01-10 "Shotgun" John, Smith <john.smith@company.com>

Delete this key from the keyring? (y/N) y

...
$


Verify Key

Now that everything is completed, you can verify your key again using the following command:

$ gpg --list-secrets-key

This will now yield something as such:

...
---------------------------

That's all for deleting GPG Primary Key.