Data breaches and other malicious incidents, such as ID or credentials theft or decryption of sensitive data, are surprisingly common threats to business continuation.
As such, you need a dependable and widely accepted way of encrypting data and preventing malicious actors from impersonating you in digital transactions. Here, GnuPG (GPG) keys play a crucial role in encrypting, decrypting, and signing data, ensuring that communications and files remain confidential and untampered.
However, there may come a time when you need to delete a GPG key because it’s no longer in use, compromised, or simply to clear clutter in the relevant directory.
In this tutorial, we will discuss GPG keys and the three methods of deleting GPG keys to maintain a clean, secure keyring.
Let’s start with an overview of GPG keys.
What is a GPG Key?
GPG or GNU Privacy Guard keys are a free and open-source option to encrypt and decrypt data.
These cryptographic keys are used in digital security to encrypt, decrypt, and sign data. These keys play a crucial role in ensuring the confidentiality and integrity of communications and files in digital communication.
Types of GPG Keys
GPG keys come in two main kinds
Public Keys
Public keys are similar to business phone numbers that you can share with anyone. They help lock (encrypt) messages so that only the person with the right private key can unlock (decrypt) and read the message.
You can freely distribute and share them with others so that they can send secure messages.
Private Keys
These are like secret PINs that you should never share with anyone. Each Private key corresponds to a Public key, similar to a lock and key pair. A Private key is essential to verify who you are (authentication) and open (decrypt) messages sent to you.
The Prerequisites
Before moving on to the practical sections of this tutorial, make sure you have the following:
- A system running a mainstream Linux distribution.
- You have GnuPG installed on your system.
How to View GPG Keys on a Linux System
GPG keys are an implementation of the OpenPGP standard for secure communication and data integrity.
Before deleting GPG keys on Linux, check your existing GPG keys and identify their User ID and Key ID. Note that the commands for viewing Public and Private keys are slightly different.
Note: if there are no GPG keys on your system, running these commands will not produce any output.
View Public GPG Keys
To list all the public keys, run the following command:
# gpg --list-keys
The gpg –list-keys command output includes:
- pub: Indicates key type, creation, and expiration date, as well as the functionalities (like signing ’S’ or encrypting ‘C’).
- KeyID: A code for the key in numerical format.
- uid: This denotes the key owner or user ID, trust level (ultimate), username, and associated email.
- sub: Here, you get info about any extra keys attached to the main one.
View Private GPG Keys
Run the following command to list all private GPG keys:
# gpg --list-secret-keys
The output of the command gpg –list-secret-keys includes:
- sec: This indicates the type of key (here, Private key).
- ssb: This is the secret subkey linked to the private key (However, not all private keys have subkeys).
How to Delete GPG Keys in Linux
You can delete GPG keys in Linux in two ways – through the User ID or the KeyID. Both these methods allow you to delete keys for single or multiple users.
When deleting GPG keys, the correct order is Private keys first, and then Public keys. This order is important for protecting your Private key and preventing accidental exposure of Public keys. This step is critical to preserving your Public key infrastructure (PKI) where a Public key is still being used to access encrypted messages.
The process of deleting GPG keys is slightly different in the single-user and multi-users scenarios. Let’s go into the details of these scenarios.
How to Delete GPG keys for Single User
Let’s discuss the two methods of deleting GPG keys for a single user.
Method #1: Use the User ID
Run the following command to remove the private GPG keys of a single user:
# gpg --delete-secret-key [uid]
Here, replace [uid] with the user ID.
Next, run this command to remove the public GPG keys of a single user:
# gpg --delete-key [uid]
Similar to private GPG keys, replace [uid] with the appropriate user’s ID
Example
The following example demonstrates how to delete the GPG key for a user named kiosk.
Step #1: Find the user ID
Locate the user ID for kiosk with the following command:
# gpg --list-secret-keys
The output lists all the user ID’s. Review and identify the User ID for the kiosk key.
Step #2; Delete the Associated Private Key
To delete the kiosk’s Private key, run the following command:
# gpg --delete-secret-key kiosk
Step #3: The Confirmation
To confirm deletion, type Y and press Enter
Step #4 Confirm Subkey Deletion
You will see a pop-up message when you confirm the key deletion. Click Delete key in the first pop-up message.
Click Delete key in the second pop-up message to delete the subkey.
Step #5: Delete the Public Key
After deleting the private key, you can go ahead and delete the kiosk’s Public key. For this, run the following command in the terminal:
# gpg --delete-key kiosk
Type Y to confirm.
Step #6: Verification
You need to verify that the keys have been deleted and, thus, are no longer available on the system. Run the following command to verify this scenario:
# gpg --list-keys
If the output does not list kiosk, the kiosk’s public key is successfully removed.
To double-check the deletion, list the Private keys by executing:
# gpg --list-secret-keys
If the output does not include the kiosk’s private key, the private key has been successfully removed
Method #2 Use KeyID
Using the KeyID is an alternative option for deleting GPG keys. It works by uniquely identifying a key and works for both private and public keys of a user.
To locate the KeyID, run the following command:
# gpg --list-secret-keys (for Private keys)
or
#gpg --list-keys ((for Public keys)
Next, delete the Private key by using the KeyID with the following command:
# gpg --delete-secret-key [Key_ID]
Delete the Public key using KeyID with this command:
# gpg --delete-key [Key_ID]
Example
The following example demonstrates how to delete the Private GPG key for a user named spector.
Step #1: Identify and Delete the Key ID
Use Step #1 of the previous process to find the Key ID. Next, run the following command to delete the Private GPG key:
# gpg --delete-secret-key [Key ID]
Step #2: Confirm Deletion
You will see a confirmation message about the deletion of the Private key.
Type Y and press Enter.
You might need to confirm twice and click Delete key.
Step #3: Remove the Public Key
To remove the spector’s Public key, run the following command:
# gpg --delete-key [Key ID]
Press Y when prompted to confirm the deletion.
Step #4: Verification
To verify the spector key is deleted, re-check both the Private and Public keys lists. This involves listing these keys separately in the terminal:
Run the following command to check if the Private key has been removed:
# gpg --list-secret-keys
If the output does not include spector’s key, the Private key is successfully removed.
Similarly, run the following command to check if the Public key is deleted:
# gpg --list-keys
If the output does not include spector’s key, the Public key is successfully removed.
How to Delete the GPG Keys for Multiple Users
Similar to deleting GPG keys for single users, you can use either UserIDs or KeyIDs for deleting GPG keys for multiple users. Note that you need to have the list of UIDs for all the users on whom you wish to apply these processes.
Let’s run through the two methods.
Method #1: Use the User ID
Here are the steps to delete GPG keys for multiple users, using the user IDs.
Step #1: Delete Private Keys
To delete the Private key, run the following command in the terminal:
# gpg --delete-secret-key [uid1] [uid2]
Here, replace [uid1] and [uid2] with the actual UserIDs. You can string any number of UID in this command.
Step #2: Delete Public Keys
To delete the Public keys, run the following command:
# gpg --delete-key [uid1] [uid2]
Replace [uid1] and [uid2] with the actual UserIDs.
Example
The following example demonstrates how to delete Private keys for multiple users John and Mike using their UIDs.
Delete the Private Keys
Run the following command to delete the Private keys for the users:
# gpg --delete-secret-key mike john
This command initiates the deletion of the keys, beginning with mike.
Press Y and click Enter to confirm the deletion of Mike’s Private key.
Click the Delete key when prompted.
Click Delete Key again when prompted to remove the subkey.
Once the Private key is deleted, the terminal will present the prompt for deleting the second one.
Press Y to initialize and confirm the second deletion.
Delete the Public Keys
To remove the Public keys for both users, run the following command in the terminal:
# gpg --delete-key john mike
Press Y and click Enter to confirm the deletion of Mike’s Public key.
Press Y and click Enter to confirm the deletion of John’s Public key.
To confirm all the changes, list all the Public and Private keys again.
Method #2 Use the KeyIDs
The alternative method uses the keyIDs for deleting GPG keys for multiple users. Here are the steps of the process. You can string up all the keyIDs in the delete commands.
Step #1: Delete Private Keys
Start by running the following command to delete the Private key:
# gpg --delete-secret-key [Key_ID1] [Key_ID2]
Step #2 Delete Public Keys
Next, use this command to delete the Public keys:
# gpg --delete-key [Key_ID1] [Key_ID2]
Example
The following example demonstrates how to delete Private keys for multiple users, Chris and Jane, using their keyIDs.
Delete the Private Keys
To delete Private keys for Chris and Jane, run the following:
# gpg --delete-secret-key [KeyID1] [KeyID2]
Press Y and click Enter to confirm the deletion of Chris’s Private key.
Click the Delete key when prompted.
Click Delete Key again when prompted to remove the subkey.
Once the Private key is deleted, the terminal will show the prompt for deleting the second one.
Press Y to initialize and confirm the second deletion.
Click Delete key on both pop-up messages to confirm the deletion.
Delete the Public Keys
After deleting the Private key(s), delete the Public keys by running the following command:
# gpg --delete-key [KeyID 1] [KeyID 2]
Press Y and click Enter to confirm the deletion of Chris’s Public key.
Press Y and click Enter to confirm the deletion of Jane’s Public key.
Run gpg --list-keys and gpg --list-secret-keys
to confirm the removal.
Conclusion
Managing GPG keys effectively is crucial for maintaining digital communications and data security. Deleting old or compromised keys helps prevent unauthorized access and maintains the integrity of your keyring. For those managing critical data and requiring robust security solutions, exploring services like RedSwitches’ bare metal hosting can provide the dedicated resources and security needed for peace of mind.
At RedSwitches, we take pleasure in assisting our valued customers with their unique server needs. We are your global dedicated hosting partner, offering bare metal hosting solutions tailored to enhance your development experience.
FAQs
Q. How can I delete a GPG key in Linux?
To delete a GPG key in Linux, run: gpg –delete-key [key id]. Replace [key id] with the right KeyID
Q. How do I delete a GPG key pair in my keyring?
If you want to delete both the public and private keys associated with a GPG key pair, run: gpg –delete-secret-and-public-keys [key id]
Q. Can I delete multiple GPG keys at once?
Yes, you can delete multiple GPG keys simultaneously by providing multiple KeyIDs to the gpg –delete-key command: gpg –delete-key [key id 1] [key id 2]. This removes several GPG keys in a single command.
Q. What should I do before deleting a GPG key?
Before you delete a GPG key, especially if it is a private key, ensure that you have a backup if needed. Deleting a key is permanent, and once deleted cannot be undone.
Q. How do I delete a GPG key if we no longer have access to it?
If you no longer have access to the GPG key, you will not be able to delete it directly. However, you can mark the key as revoked using the gpg –edit-key command and then save the changes. This will indicate that the key is no longer valid for use.
Q. Is it possible to delete a GPG key using a command line?
Yes, it is possible to delete a GPG (GNU Privacy Guard) key using a command line interface. You can use the gpg –delete-secret-key command followed by the KeyID or key fingerprint to delete the secret key and gpg –delete-key command followed by the KeyID or key fingerprint to delete the public key.
Q. How can the current community of developers manage GPG keys effectively?
The current community of developers can manage GPG keys effectively by using version control systems to track changes in keys, participating in online forums and discussions to share best practices, and continuously educating themselves on the latest security protocols.
Q. What is the role of an online community in GPG key management?
An online community, such as Stack Exchange, can provide support, share knowledge, and offer solutions for common issues related to GPG key management. It serves as a platform for developers to learn from each other’s experiences and expertise.
Q. How can I find solutions for cryptic entry errors in my public keyring?
If you encounter cryptic entry errors in your public keyring, searching through forums like Stack Exchange can be helpful. Often, other users have faced similar issues and their solutions or advice can guide you in resolving the error.
Q. Why is it important to perform an apt update before deleting GPG keys?
Performing an apt update ensures that your package lists are up to date. This is important because it allows you to verify that there are no pending updates or issues with the repository entries before you modify the GPG keys, which could affect software installations.
Q. What is a key identifier in the context of GPG?
A key identifier (KeyID) is a short sequence of characters that uniquely identifies a GPG key in the keyring. It is used to specify which key to operate on in commands like deleting or listing keys.
Q. How do I use the add-apt-repository command in relation to GPG keys?
The add-apt-repository command is used to add a new repository to your system’s software sources. When adding a repository, it often comes with its own GPG key, which is used to verify the authenticity of the packages from that repository.
Q. What does the list command do in GPG key management?
The list command (e.g., gpg –list-keys) is used to display all the keys in the keyring. This command helps in managing and verifying the keys you currently have.
Q. What is a one-line command, and how can it be used with GPG keys?
A one-line command is a single command line that performs a specific task, often combining several operations. In GPG key management, a one-line command is used to delete, list, or add keys without navigating through multiple steps.
Q. How can I remove a repository entry using GPG keys?
To remove a repository entry, edit the sources list file or use a graphical interface. However, managing the GPG keys for that repository often involves using commands to delete the associated keys from your keyring, ensuring that the system no longer trusts packages from that source.
Q. How can the Stack Exchange community assist with GPG key errors?
The Stack Exchange community can assist with GPG key errors by providing a platform where users can ask questions and receive answers from experienced professionals. Users can share error messages, seek advice, and offer solutions based on their own experiences.
Q. What should I do if my apt update fails due to a GPG key error?
If your apt update fails due to a GPG key error, you should check the output for any specific key identifiers mentioned. Once identified, you can use commands to import the correct key or delete the problematic one, resolving the update issue.
Q. How can I use a one-line command to add a new GPG key for a repository?
To add a new GPG key for a repository with a one-line command, you can use the add-apt-repository command followed by the repository’s URL. This command usually adds the repository and its associated GPG key in one step, simplifying the process.