How to remove the private master key from your laptop.

These instructions assume you use one computer, and keep the master keys on an encrypted USB flash drive, or preferably at least two (you should keep backups of your secret keys).

Here comes the tricky part. You need to remove the private master key, and GnuPG does not provide a convenient way to do that. We need to export the subkey, remove the private key, and import the subkey back.

Find the key ID of your new secret subkey:

gpg --list-secret-keys

Export the subkeys:

gpg --export-secret-subkeys SUBKEYID1! .. SUBKEYIDn! > subkeys

Also export the public keys:

gpg --export YOURMASTERKEYID > pubkeys

Remove your master key:

gpg --delete-secret-key YOURKEYID

Import back:

gpg --import pubkeys subkeys

Verify that

gpg -K

shows a sec# instead of just sec for your private key. That means the secret key is not really there.