These instructions assume you use one computer, and keep the master keys on an encrypted USB flash drive, or preferably at least two (you should keep backups of your secret keys).
Here comes the tricky part. You need to remove the private master key, and GnuPG does not provide a convenient way to do that. We need to export the subkey, remove the private key, and import the subkey back.
Find the key ID of your new secret subkey:
gpg --list-secret-keys
Export the subkeys:
gpg --export-secret-subkeys SUBKEYID1! .. SUBKEYIDn! > subkeys
Also export the public keys:
gpg --export YOURMASTERKEYID > pubkeys
Remove your master key:
gpg --delete-secret-key YOURKEYID
Import back:
gpg --import pubkeys subkeys
Verify that
gpg -K
shows a sec# instead of just sec for your private key. That means the secret key is not really there.
source http://wiki.debian.org/subkeys