How to delete a subkey on Linux in GnuPG?

linux ubuntu encryption gnupg gpg-agent

11,403

GnuPG's interactive --edit-key menu works differently. You do not select a subkey by key [subkey-id], but by key [key-index], in your case this would be key 2 (the second subkey from the top, the primary key doesn't count).

After doing so, the line

ssb  rsa4096/33333333

will change to

ssb* rsa4096/33333333

with an asterisk indicating the key being selected. After selecting one or more keys, run delkey to delete the selected subkeys. Don't forget to save!

11,403

aldaron

Updated on September 18, 2022

Comments

aldaron over 1 year
I would like to delete an OpenPGP subkey of mine on Linux (L)Ubuntu 16.04 in GnuPG. It's a kind of "blank" useless key (see below key 33333333). I have not uploaded it to key servers, so I think it's ok to delete without revoking it.
```
gpg2 --edit-key [email protected]

sec  rsa4096/11111111
     created: 2016-12-12  expires: 2017-12-12  usage: SC  
     confiance : ultime        validity: ultimate
ssb  rsa4096/22222222
     created: 2016-12-12  expires: 2017-12-12  usage: E   
ssb  rsa4096/33333333
     created: 2016-12-12  expires: never       usage:     
ssb  rsa4096/44444444
     créé : 2016-12-12  expires: 2017-12-12  usage: S   
[  ultimate ] (1). me <[email protected]>
```
I tried "gpg> delkey 33333333", but I had this message :
```
You must select at least one key.
(Use the 'key' command.)
```
then gpg> key 33333333, and I had this result (same result as list command):
```
sec  rsa4096/11111111
     created: 2016-12-12  expires: 2017-12-12  usage: SC  
     confiance : ultime        validity: ultimate
ssb  rsa4096/22222222
     created: 2016-12-12  expires: 2017-12-12  usage: E   
ssb  rsa4096/33333333
     created: 2016-12-12  expires: never       usage:     
ssb  rsa4096/44444444
     créé : 2016-12-12  expires: 2017-12-12  usage: S   
[  ultimate ] (1). me <[email protected]>
```
What should I do next?
- Jens Erat over 7 years
  
  On the Linux command line (and in general), you can get English language outpuut for pretty much all applications by prefixing LANG=C, eg. LANG=C gpg2 --edit-key .... Alternatively, "switch" a shell to English language by running export LANG=C.
- Admin almost 2 years
  
  Small caution to anyone deleting a subkey, if you delete even a public subkey it may mean that the related private subkey is no longer available to decrypt. I was able to fix it easily - security.stackexchange.com/questions/262703/… not sure if is always like that though.
aldaron over 7 years

Thanks a lot. I had not seen the asterisk thing before. Thank you ! PS : key-index number was 2, not 3 (I could not select the first "sec" key).
Jens Erat over 7 years

You're right, I should have only counted the subkeys. If this answered your question, consider selecting the checkmark on the left (also have a look at the FAQ).
arviman over 6 years

wow that was unintuitive. I kept selecting by key-id.