On Mar 1, 2010, at 3:31 PM, Phillip Susi wrote: > On 3/1/2010 1:57 PM, David Shaw wrote: >> What you need to do is an --export-secret-subkeys (there is no such command >> as --delete-primary-keys). So, starting from a state where your whole key >> (primary and all secondaries) are all imported to your GPG instance, do: > > Yes, I meant --delete-secret-key > >> gpg --export-secret-subkeys (thekeyid)> my-secondary-keys-only.gpg >> >> Then import my-secondary-keys-only.gpg into whichever GPG you want to use it >> with. If you want to use it with the same one you just exported from, then >> do: >> >> gpg --export-secret-key (thekeyid)> my-real-secret-key.gpg >> gpg --delete-secret-key (thekeyid) >> gpg --import my-secondary-keys-only.gpg >> >> (i.e. save a copy of the full key, delete it from the keyring, and replace >> it with the secondary-key-only copy). > > This does the trick, but I still do not understand why --delete-secret-key > removes BOTH the primary and subkey secrets when I specifically gave only the > ID of the subkey? Shouldn't it remove exactly what I say and no more?
It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named "foobar", and the key ID is AAAAAAAA and the subkey ID is BBBBBBBB, you could refer to that key with any of "foobar", "AAAAAAAA", or "BBBBBBBB". When you say "--delete-secret-key BBBBBBB", you're actually saying delete the whole key. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
