TIL: PGP keys could be edited in command line
When a key pair is created by gpg --full-generate-key
usually it has one key with Sign and Certify roles and a sub key with Encrypt role but it's possible to change that:
gpg --edit-key [KEY-ID] change-usage
where KEY-ID is the hexadecimal string which is printed for each key after you type gpg --list-keys
.
Once you in the Change usage window you can toggle the each particular actions which the key can be used for:
- (S) Toggle the sign capability
- (E) Toggle the encrypt capability
- (A) Toggle the authenticate capability
- (Q) Finished
Editing a key pair
Another useful possibility of --edit-key
is that you can delete any subkey by providing it's number:
gpg --edit-key A33DAA6DE2F696C28D4904A93CA84103AF8F3E66
gpg (GnuPG) 2.2.42; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa3072/3CA84103AF8F3E66
created: 2024-02-28 expires: 2027-02-27 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/13631A9A2D9DFE5C
created: 2024-02-28 expires: 2027-02-27 usage: E
[ultimate] (1). iovon <iovon@mail.com>
gpg> key 1
sec rsa3072/3CA84103AF8F3E66
created: 2024-02-28 expires: 2027-02-27 usage: SC
trust: ultimate validity: ultimate
ssb* rsa3072/13631A9A2D9DFE5C
created: 2024-02-28 expires: 2027-02-27 usage: E
[ultimate] (1). iovon <iovon@mail.com>
gpg> delkey
Do you really want to delete this key? (y/N) y
sec rsa3072/3CA84103AF8F3E66
created: 2024-02-28 expires: 2027-02-27 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). iovon <iovon@mail.com>
gpg> save