On Mar 1, 2010, at 12:20 PM, Phillip Susi wrote: > I would like to keep the private portion of my primary key stored offline and > use an expiring secondary key for day to day signing. To accomplish this I > have tried backing up the key after creating the secondary signing key, then > attempting to delete the private portion of the primary key from the key > ring, but even when I explicitly specify the primary key ID to delete with > --delete-primary-keys, the secondary private key is also removed. > > How can I remove ONLY the private part of the primary key, and not the > secondary key(s)?
What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: gpg --export-secret-subkeys (thekeyid) > my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) > my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). Make sure you save my-real-secret-key.gpg in a safe place! Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
