Embedded Files
In scenario where you want to protect your primary "certify" key, (the main key with [C] symbol), you might want to delete it if you're not performing any certification for safekeeping. When someone got your secret keys, he/she can't create new subkey or use your "certify" key. Hence, you can recover your identity by revoking all compromised subkeys and create new one with your backup primary key.
This section guides you on how to remove the master "certify" key from your primary key.
Backup Your Primary Key
Backup Your Primary Key
Needless to say, without the secret key, your primary key can't perform key certification once it got deleted (that means no subkey creation as well). Hence, DO THIS FIRST:
Removing Primary Master's Secret Key Only
Removing Primary Master's Secret Key Only
We can proceed to the master's key deletion now.
Identify Your Primary Key ID
Identify Your Primary Key ID
We start off by obtaining your primary key ID and the targeted sub-key. This is by using the following command and find your key:
gpg --list-secret-keysExample:
$ gpg --list-secret-keys ...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]In the example above,
- The primary key ID is:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to export.
Delete When GnuPG is version 2.12 onwards
Delete When GnuPG is version 2.12 onwards
For GnuPG version 2.12 and above, you can use the gpg-connect agent to do the deletion. This is by using the following command:
$ gpg-connect-agent "DELETE_KEY <key-grip ID>" /byeBased on the keyring ID above, we got:
$ gpg-connect-agent "DELETE_KEY 5C2BF9CCCF9AE75304D4C11A65CABD66D4E0880B" /byeDelete When GnuPG is below version 2.12
Delete When GnuPG is below version 2.12
Otherwise, for any GnuPG version before 2.12, you need to execute the weird deletion path.
Look for Keyring
Unlike any other instructions, currently, you need to visit your GnuPG key storage folder usually located at $HOME/.gnupg/private-keys-v1.d. If you're using a remote storage location, look for it. Remove the .key file with your key-grip ID. You can use the rm command:
$ rm $HOME/.gnupg/private-keys-v1.d/<key-grip ID>.keySo, following the example above, the command is:
$ rm $HOME/.gnupg/private-keys-v1.d/5C2BF9CCCF9AE75304D4C11A65CABD66D4E0880B.keyDelete The Old GnuPG Caching File
This is to reconfirm, delete the following file if exists. You can just execute the following command:
$ rm $HOME/.gnupg/secring.gpg > /dev/nullIf you're using a remote storage location, look for it.
Verify the Deletion
Verify the Deletion
Once you completed your deletion, you can list the secret key again. This time, you should see a hash (#) next to your primary key.
/home/jane/.gnupg/pubring.kbx---------------------------------sec# rsa4096 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9 Keygrip = 5C2BF9CCCF9AE75304D4C11A65CABD66D4E0880Buid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>ssb rsa4096 2018-09-23 [E] Keygrip = 4DBE7D73AD5827BB28A12CB5F38F78C6EFE55A0Fssb rsa4096 2018-09-23 [E] Keygrip = A6B382C26B373A99AF5237BFE084E5765032A9ECssb rsa4096 2018-09-23 [S] Keygrip = 4F83F27A2B712C018AF20E3AE5428C37A1769940This indicates the secret key for your primary key is removed. In case you need it back, you can re-import your backup copy. At this stage, your key is known as secondary key. This key is safe to compromise since the "certify" capability is not available in the machine.
That's all about delete master key from your primary key.
Page updated
Google Sites
Report abuse