How do I delete secret subkeys correctly?
Matheus Afonso Martins Moreira
matheus.a.m.moreira at gmail.com
Fri Apr 12 04:57:22 CEST 2019
> I think you might be misinterpreting the result
> you say you are dealing with revoked subkeys.
> Unless you specify "--list-options show-unusable-subkeys",
> you might not see those in the keylistings even though they are there.
You're right!
> The gpg binary only deals with public keys in the keyring directly.
> Secret keys are delegated to gpg-agent, and gpg-agent works with
> keygrips only
So gpg focuses on the public key ring and public key operations
while gpg-agent is responsible for the private-keys-v1.d directory.
This explains why the names of the *.key files don't match
the fingerprints of the keys, unlike the *.rev files:
gpg-agent uses keygrips in order to refer to the private keys.
Before I found the --delete-secret-keys command,
I tried to delete the subkey files manually with rm.
Since their names did not match their fingerprints,
I did not know which files were the right ones.
> If it would have deleted the secret part,
> I'd have expected a popup from gpg-agent asking me if I was sure about
> that. I got no popup.
I understand now. That is what happened when I accidentally deleted
my original keys. I got a graphical confirmation pop-up from gpg-agent.
> delete_key 6D610FB78404E0C80954BB993E3410ED9FA463A6
Looks like this is the definitive answer.
I looked up the delete_key command on the gpg-agent manual.
There seems to be only one reference to it
in the description of the --allow-loopback-pinentry option.
It does not seem to be listed on the page where the other commands are:
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html
Is this gpg-agent command not documented?
I was able to obtain some help text for it:
$ gpg-connect-agent 'help delete_key' /bye
# DELETE_KEY [--force|--stub-only] <hexstring_with_keygrip>
#
# Delete a secret key from the key store. If --force is used
# and a loopback pinentry is allowed, the agent will not ask
# the user for confirmation. If --stub-only is used the key will
# only be deleted if it is a reference to a token.
OK
This does seem to be very useful. The --stub-only option in particular
is very relevant to me since I have subkeys on a YubiKey and would like
to delete their stubs in case of loss or deletion.
> I hope this helps your understanding!
It did! I was able to truly delete the subkey following your steps.
Now I have a much better understanding of how gpg works.
Thank you for the detailed answer!
More information about the Gnupg-users
mailing list