GPG – update your subkeys and keep your master key safe

This tutorial is useful for everyone who wants to keep their master key safe, regardless wheter you have (now) your master key in your system.

If you want to know more why it is important to use subkeys and keep your master key safely stored, read the Subkeys page of the Debian Wiki.

Importing and editing your key

If you are already using only subkeys in your system, when you see your key’s details issuing gpg -K command you see something like:

$ gpg -K
gpg: enabled debug flags: memstat trust extprog
sec#  rsa4096 2016-06-23 [SC]

Pay attention to the ‘sec#’; the ‘#’ means the master key is not present, only subkeys. If your master key is not present, you must get access to the key wherever you stored it (offline media, USB, encrypted folder…).

Before to continue, lets make a backup of the .gnupg directory (who knows…):

$ umask 077; tar -cf $HOME/gnupg-backup.tar -C $HOME .gnupg

If you don’t have your master key in your system, let’s import it from where you store it safe (you’ll be promped for the passphrase):

$ gpg --import /path/to/your/private_key.asc

Run the command gpg -K to get you key’s ID to edit it as shown below:

$ gpg --edit-key <ID>

$ gpg --edit-key AFC8D26BEA1CAC0AC309070E472CB31D78EB1CBC
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: enabled debug flags: memstat trust extprog
Secret key is available.

sec  rsa4096/472CB31D78EB1CBC
     created: 2016-06-23  expires: never       usage: SC  
     trust: ultimate      validity: ultimate


Follow some commands often used to update the key and generating subkeys:

  • UID (Manage identities associated with the key):
    • uid <number>: select one or more UIDs to editdeluid: delete selected UIDsadduid: associate a new UID to the key
  • Key/Subkeys:
    • key <ID>: select one or more key/subkeys to editdelkey: delete selected key/subkeysaddkey: add a new encrypting or signing subkey
  • trust: define how much you trust that key (yours of others’)
  • expire: define when the key/subkey expires
  • passwd: change key password

In my case, I created a new signing subkey valid for one year, changed my encryption key expiration date for one year from now, and removed and added UID, because I moved to another company.

When you are done, save and quit.

Backing-up, exporting and protecting your master key


I’ve seen different approaches when it comes to backup. I prefer to backup the entire gnupg directory with the entire actual context; also because I can use my master key easily without having to import my master key to my system to perform actions that don’t involve changing my subkeys (shown ahead).

I save my gnupg directory inside of another gpg

$ cp -a .gnupg/ /path/to/safe_storage/gpg/gnupg/

Sending to a key server

In order to update your key and make it available through a keyserver on the Internet, send the key to the server of your preference as in the example below:

$ gpg --keyserver pgp.mit.edu --send-key 472CB31D78EB1CBC

Exporting keys

Why export keys/subkeys individually if we already exported the entire gnupg directory?

Because if you need to import only some specific key/subkey, you have it in hand.

The following commands export the private and public keys:

$ gpg --armor --export-secret-key key_ID > /path/to/safe_storage/gpg/private-master.key

Changing password for daily usage

For daily usage, an easier (not unsafe) password may be good for the subkeys. This is the moment, after exporting the master key, to change the password – password changing requires the master key.

Edit your key and use the passwd command to change the password.

Export your subkeys

You can export all your subkeys to the same file listing all the IDs (followed by “!”). In the example below I exported both encryption and sign subkeys separated:

# Encryption subkey
$ gpg --armor --export-secret-subkeys 574E68989A5FC3AA! > /path/to/safe_storage/gpg/encryption.subkey

# Signing subkey
$ gpg --armor --export-secret-subkeys 9AB3CE7055046912! > /path/to/safe_storage/gpg/sign.subkey

Removing your master key from your system

This covers only the method for GPG 2.1+; you can find how to remove your master key in previous versions at Debian Wiki.

Get your master key’s KEYGRIP with the following command:

$ gpg --with-keygrip --list-key <ID>

Use the KEYGRIP to delete the private part of the key, as shown below:

$ rm ~/.gnupg/private-keys-v1.d/<KEYGRIP>.key

A note from the Debian Wiki:

Note however that if the keyring has just been migrated to the new format, then the now obsolete $HOME/.gnupg/secring.gpg file might still contain the private master key: thus be sure to delete that file too if it is not empty.

Debian Wiki – Subkeys

Now, when you display your key, you must be the ‘#’ after the ‘sec’:

~$ gpg -K
gpg: enabled debug flags: memstat trust extprog
sec#  rsa4096 2016-06-23 [SC]


Before storing my master key, I create a tar file and encrypt it:

$ tar -cvf gpg-2018-10-30.tar gpg/
$ gpg -c gpg-2018-10-30.tar

Don’t forget to delete all files remaining from the process, including the unencrypted .tar and the gnupg-backup.tar created in the beginning.

The reverse process is:

$ gpg gpg-2018-10-30.tar
$ tar -xvf gpg-2018-10-30.tar

Using your master key without installing it

You may use your master key, for example, to sign someone’s key, from the backup directory, without installing it in your system. I copied my key files to /tmp/gpg. Inside the gpg directory I have the gnupg directory, that is a backup of my .gnupg. Using the homedir parameter you will access your key as if it was in your system and will be able to make any operation:

$ gpg --homedir=/tmp/gpg/gnupg/ -K

$ gpg --homedir=/tmp/gpg/gnupg/ --edit-key AFC8D26BEA1CAC0AC309070E472CB31D78EB1CBC


Leave a Reply