Import a subset of private subkeys in GPG

Question

Having trouble with GPG, isolating one set of subkeys from another.

In short, I generated a master key, then three subkeys:

1. Signing
2. Encrypting
3. Authorization

I can't seem to isolate the Signing and Encrypting private keys from the Authorization key. I've tried both:

1. Exporting/Importing only a specific private subkeys
2. Deleting the one unwanted private subkey

When I import one subkey, gpg does not allow me to import the others, saying that I already have imported a private key that belongs to the master. And when I delete the one unwanted private subkey, all subkeys are deleted. Seemingly no solution works.

What gives?

Answer 1

You're probably dealing with two issues:

• GnuPG before version 2.1 cannot merge private keys, and

• selecting explicit subkeys to export requires a ! after the key id, for example (given 0xdeadbeef is your subkey ID)

  gpg --export-secret-subkeys 0xdeadbeef!
  

Possible solutions to your problem are:

• Use GnuPG 2.1 (then you can merge the exported individual subkeys during import).

• Export the required subkeys all at once (given you have one keyring which already contains all subkeys, does not work if these are distributed among multiple keyrings as it would require merging the keys), for example

  gpg --export-secret-subkeys 0xdeadbeef! 0x12345678!
  

• Use the gpgsplit command to take apart the OpenPGP message to individual packets, then join them manually in the right order using cat. This is a rather difficult task requiring deeper knowledge of the OpenPGP standard, I'd go for either of the first two solutions.

Answer 2

The gpgsplit tool is certainly one solution, but it is very confusing to all but experts. My solution was to first export the private master key into a file, then the subkeys, and delete all secret keys, and then import only the secret subkeys.

So:

# Export out the master key    
gpg --export-secret-keys user@host > master_secret.asc
# Export out the subkeys
gpg --export-secret-subkeys > subkeys_secret.asc
# Delete both sets of secret keys (You can also delete everything associated with that uid)
gpg --delete-secret-keys user@host
# Import in ONLY the subkeys
gpg --import subkeys_secret.asc

Just a comment: If this process was confusing for me, a fairly technical person, just imagine how difficult it would be for a completely non-technical person. This needs to be simplified. Additionally, once you have broken apart the keys as such, there is no simple and obvious way to merge both the master secret and subkey secrets in the same keyring.

This is not a feature, it is a bug and should be fixed.