$ cd pranavchip.com && cd /docs
PROCEDURE FOR EXPORTING SUBKEYS
===============================
Pranav "Prae" Chiploonkar <mail@pranavchip.com>
Created : 2026-03-25
Last updated: 2026-03-25
Abstract
========
GnuPG is a powerful commandline tool that allows precise, surgical key
management. However it can be quite intimidating to figure out at first
and there isn't *too* much documentation online that helps with its more
niche uses. This documentation tries to fill that gap. ^[1]
------------------------------------------------------------------------
1. Create a working directory for exported key(s)
=================================================
$ mkdir key
$ cd key
2. View your stored private key
===============================
$ gpg -K
OR
$ gpg --list-secret-keys
Your output will look something like this:
[keyboxd]
---------
sec ed25519/M3N4O5P6Q7R8S8T9 YYYY-MM-DD [C]
Key fingerprint = A1B2 C3D4 E5F6 G7H8 I9J0 K1L2 M3N4
O5P6 Q7R8 S8T9
uid [ultimate] John Doe
uid [ultimate] John Doe
ssb cv25519/QRSTUVWXYZABCDEF YYYY-MM-DD [E]
ssb ed25519/GHIJKLMNOPQRSTUV YYYY-MM-DD [S]
ssb ed25519/WXYZABCDEFGHIJKL YYYY-MM-DD [A]
3. Copy the long alphanumeric key ID of your private key
========================================================
This string represents the last 12 characters of your key's fingerprint.
In this case, the key fingerprint is:
A1B2 C3D4 E5F6 G7H8 I9J0 K1L2 M3N4 O5P6 Q7R8 S8T9
And the key ID is:
M3N4O5P6Q7R8S8T9
4. Export the subkey bundle with ASCII armor
============================================
There is no way (that I know of) to export a single subkey. ^[2]
So we will have to deal with the extras later.
$ gpg --armor --export-secret-subkeys M3N4O5P6Q7R8S8T9 >
M3N4O5P6Q7R8S8T9.asc
4. Test that the export was successful using a temporary gnupg home
directory
$ gpg --homedir . --import ./M3N4O5P6Q7R8S8T9.asc
5. About the warning
====================
You will get a warning about unsafe permissions in the home
directory. This can be ignored as the temporary keyring will be
deleted upon completion.
6. Ensure that the exported bundle contains all 3 subkeys:
==========================================================
$ gpg --homedir . -K --with-keygrip
You should see a stripped version of the key (indicated by sec#)
sec# ed25519 YYYY-MM-DD [C]
A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S8T9
Keygrip = ED7D3E2EB9A77F601840593171030E67868DE573
uid [ultimate] John Doe
uid [ultimate] John Doe
ssb cv25519 YYYY-MM-DD [E]
Keygrip = 3F7C1A9E5D2846B0C92E4F7A1D6B8C3E0A5F2D19
ssb ed25519 YYYY-MM-DD [S]
Keygrip = B4E91C2D7F6A3B5088D2E14F9C7A0B6D5E3F8A21
ssb ed25519 YYYY-MM-DD [A]
Keygrip = 6A2D9F0C3B1E7D84F5C6A8B9E2D14F703C8E5A27
This confirms that the subkey bundle is stripped of the [C]
Certification key, and only contains subkeys.
7. Removing unnecessary subkeys
===============================
When you import your keys to another device, you may only desire a
single function - this helps compartmentalize risk. If the key is
compromised, you only need revoke a single subkey (or set of subkeys)
as opposed to the entire key.
A device that solely uses the key for SSH authentication may need
the [A] Authentication key. Or perhaps you do not need SSH but you
do need to encrypt/decrypt/sign email. So you would then keep [E]
Encryption and [S] Signing subkeys.
In this example, I will be removing all but the [E] Encryption subkey.
WARNING
=============
REMEMBER TO USE THE "--homedir ." FLAG. FAILURE TO DO SO
WILL EDIT YOUR DEFAULT PRIVATE KEY OUTSIDE THE TEMPORARY
SANDBOX. EXERCISE CAUTION.
$ gpg --homedir . --edit-key M3N4O5P6Q7R8S8T9
You will be presented with output that looks like this:
gpg: WARNING: unsafe permissions on homedir
gpg (GnuPG) 2.4.9; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute
it.
There is NO WARRANTY, to the extent permitted by law.
Secret subkeys are available.
pub ed25519/M3N4O5P6Q7R8S8T9
created: YYYY-MM-DD expires: never usage: C
trust: ultimate validity: ultimate
ssb cv25519/QRSTUVWXYZABCDEF
created: YYYY-MM-DD expires: never usage: E
ssb ed25519/GHIJKLMNOPQRSTUV
created: YYYY-MM-DD expires: never usage: S
ssb ed25519/WXYZABCDEFGHIJKL
created: YYYY-MM-DD expires: never usage: A
[ultimate] (1). John Doe
[ultimate] (2) John Doe
8. Key surgery
==============
Run "help" to see all the commands you have access to. The ones we
will use today are highlighted below:
gpg> help
quit quit this menu
save save and quit
help show this help
list list key and user IDs
key select subkey N
delkey delete selected subkeys
minimize compact unusable user IDs and remove all signatures
from key
9. Delete unwanted subkeys
==========================
List the subkeys present (the same output as when you first load into
the interface)
gpg> list
Select the subkey(s) you wish to delete. The subkeys are numbered
starting from 1.
gpg> key 2
gpg> key 3
I've now selected the [S] and [A] subkeys, as indicated by the (*):
pub ed25519/M3N4O5P6Q7R8S8T9
created: YYYY-MM-DD expires: never usage: C
trust: ultimate validity: ultimate
ssb cv25519/QRSTUVWXYZABCDEF
created: YYYY-MM-DD expires: never usage: E
ssb* ed25519/GHIJKLMNOPQRSTUV
created: YYYY-MM-DD expires: never usage: S
ssb* ed25519/WXYZABCDEFGHIJKL
created: YYYY-MM-DD expires: never usage: A
[ultimate] (1). John Doe
[ultimate] (2) John Doe
Now delete the key(s):
gpg> delkey
Do you really want to delete the selected keys? (y/N) y
And we are left with:
pub ed25519/M3N4O5P6Q7R8S8T9
created: YYYY-MM-DD expires: never usage: C
trust: ultimate validity: ultimate
ssb cv25519/QRSTUVWXYZABCDEF
created: YYYY-MM-DD expires: never usage: E
[ultimate] (1). John Doe
[ultimate] (2) John Doe
Success! We can now minimize the key (optional) to strip it of extra
metadata (such as signatures) if the use-case requires a minimal key.
10. (Optional) Minimize key
===========================
gpg> minimize
You'll see output that describes if anything was minimized.
11. Save and quit
======================
Now that we're done with the surgery and cleanup,
gpg> save
This will drop you back into your prompt.
12. Final verification
======================
Run the command from step 6 to confirm everything was successful:
$ gpg --homedir . -K --with-keygrip
sec# ed25519 YYYY-MM-DD [C]
A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S8T9
Keygrip = ED7D3E2EB9A77F601840593171030E67868DE573
uid [ultimate] John Doe
uid [ultimate] John Doe
ssb cv25519 YYYY-MM-DD [E]
Keygrip = 3F7C1A9E5D2846B0C92E4F7A1D6B8C3E0A5F2D19
And we're done! Transfer your brand new stripped key securely, and
ensure you delete your temporary working directory once that's done.
$ mv ./M3N4O5P6Q7R8S8T9.asc ~
$ cd ..
$ rm -rf ./key
------------------------------------------------------------------------
Footnotes
=========
[1] There is exceedingly scarce documentation on GnuPG when it comes to
more complex key management. OpenPGP/GPG as a whole is rather niche, so
it was really hard for me to figure anything out.
However, LLMs such as ChatGPT are actually really good at working with
GPG, and I'd highly recommend asking one questions if any step trips you
up (or doesn't make) sense.
And feel free to shoot me an email with questions!
[2] There is an obscure reference to this that I found here:
<https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057400.html>
It recommends using a "!" with the subkey ID ("SUBKEYID!") to export
just the one. However, this didn't always work for me and the docs don't
seem to mention this at all!
<https://www.gnupg.org/documentation/manuals/gnupg24/gpg.1.html>
Very niche indeed... But editing the key is more flexible, and I think
it's a robust way to go about it.