How to delete a subkey on Linux in GnuPG?

Question

I would like to delete an OpenPGP subkey of mine on Linux (L)Ubuntu 16.04 in GnuPG. It's a kind of "blank" useless key (see below key 33333333). I have not uploaded it to key servers, so I think it's ok to delete without revoking it.

gpg2 --edit-key me@example.com

sec  rsa4096/11111111
     created: 2016-12-12  expires: 2017-12-12  usage: SC  
     confiance : ultime        validity: ultimate
ssb  rsa4096/22222222
     created: 2016-12-12  expires: 2017-12-12  usage: E   
ssb  rsa4096/33333333
     created: 2016-12-12  expires: never       usage:     
ssb  rsa4096/44444444
     créé : 2016-12-12  expires: 2017-12-12  usage: S   
[  ultimate ] (1). me <me@example.com>

I tried "gpg> delkey 33333333", but I had this message :

You must select at least one key.
(Use the 'key' command.)

then gpg> key 33333333, and I had this result (same result as list command):

sec  rsa4096/11111111
     created: 2016-12-12  expires: 2017-12-12  usage: SC  
     confiance : ultime        validity: ultimate
ssb  rsa4096/22222222
     created: 2016-12-12  expires: 2017-12-12  usage: E   
ssb  rsa4096/33333333
     created: 2016-12-12  expires: never       usage:     
ssb  rsa4096/44444444
     créé : 2016-12-12  expires: 2017-12-12  usage: S   
[  ultimate ] (1). me <me@example.com>

What should I do next?

On the Linux command line (and in general), you can get English language outpuut for pretty much all applications by prefixing `LANG=C`, eg. `LANG=C gpg2 --edit-key ...`. Alternatively, "switch" a shell to English language by running `export LANG=C`. — Jens Erat, Oct 06 '16 at 21:51
Small caution to anyone deleting a subkey, if you delete even a _public_ subkey it may mean that the related private subkey is no longer available to decrypt. I was able to fix it easily - https://security.stackexchange.com/questions/262703/deleted-a-subkey-and-can-now-no-longer-decrypt/ not sure if is always like that though. — cardamom, Jun 13 '22 at 19:11

Jens Erat · Accepted Answer · 2016-10-07T12:04:35.343

29

GnuPG's interactive --edit-key menu works differently. You do not select a subkey by key [subkey-id], but by key [key-index], in your case this would be key 2 (the second subkey from the top, the primary key doesn't count).

After doing so, the line

ssb  rsa4096/33333333

will change to

ssb* rsa4096/33333333

with an asterisk indicating the key being selected. After selecting one or more keys, run delkey to delete the selected subkeys. Don't forget to save!

edited Oct 07 '16 at 12:04

answered Oct 06 '16 at 21:47

Jens Erat

17,507
14
61
74

Thanks a lot. I had not seen the asterisk thing before. Thank you ! PS : key-index number was 2, not 3 (I could not select the first "sec" key). – aldaron Oct 07 '16 at 11:19
You're right, I should have only counted the subkeys. If this answered your question, consider selecting the checkmark on the left (also have a look at the [FAQ]). – Jens Erat Oct 07 '16 at 12:04
4

wow that was unintuitive. I kept selecting by key-id. – arviman Aug 29 '17 at 11:39

How to delete a subkey on Linux in GnuPG?

1 Answers1