TIL: PGP keys could be edited in command line

14 Mar, 2024

When a key pair is created by gpg --full-generate-key usually it has one key with Sign and Certify roles and a sub key with Encrypt role but it's possible to change that:

gpg --edit-key [KEY-ID] change-usage

where KEY-ID is the hexadecimal string which is printed for each key after you type gpg --list-keys.

Once you in the Change usage window you can toggle the each particular actions which the key can be used for:

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Editing a key pair

Another useful possibility of --edit-key is that you can delete any subkey by providing it's number:

gpg --edit-key A33DAA6DE2F696C28D4904A93CA84103AF8F3E66                                                                                                            

gpg (GnuPG) 2.2.42; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/3CA84103AF8F3E66
     created: 2024-02-28  expires: 2027-02-27  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/13631A9A2D9DFE5C
     created: 2024-02-28  expires: 2027-02-27  usage: E   
[ultimate] (1). iovon <iovon@mail.com>

gpg> key 1

sec  rsa3072/3CA84103AF8F3E66
     created: 2024-02-28  expires: 2027-02-27  usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa3072/13631A9A2D9DFE5C
     created: 2024-02-28  expires: 2027-02-27  usage: E   
[ultimate] (1). iovon <iovon@mail.com>

gpg> delkey
Do you really want to delete this key? (y/N) y

sec  rsa3072/3CA84103AF8F3E66
     created: 2024-02-28  expires: 2027-02-27  usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). iovon <iovon@mail.com>

gpg> save

#pgp #securit #til