What does --export-secret-subkeys do?
Werner Koch
wk at gnupg.org
Thu Jul 8 15:23:01 CEST 2004
On Wed, 30 Jun 2004 22:42:04 -0400, James P Howard, said:
> What exactly happens when you use --export-secret-subkeys? From
> what I understand, the master signing key is disabled in the new
> secret key ring, but I would like to know more about how this
Right, the private data of the primary key is not included in the
output. Technically we use another protection algorithm to make
applications believe that the private key parts are there, just not
decodable. Of course we don't put any actual data into it, just the
header to tell that it is protected using our special mode:
if( sk->protect.s2k.mode >= 1000 ) {
/* These modes are not possible in OpenPGP, we use them
to implement our extensions, 101 can be seen as a
private/experimental extension (this is not
specified in rfc2440 but the same scheme is used
for all other algorithm identifiers) */
iobuf_put(a, 101 );
iobuf_put(a, sk->protect.s2k.hash_algo );
iobuf_write(a, "GNU", 3 );
iobuf_put(a, sk->protect.s2k.mode - 1000 );
}
...
if( sk->protect.s2k.mode == 1001 )
; /* GnuPG extension - don't write a secret key at all */
else if( sk->is_protected && sk->version >= 4 ) {
/* The secret key is protected - write it out as it is */
byte *p;
assert( mpi_is_opaque( sk->skey[npkey] ) );
p = mpi_get_opaque( sk->skey[npkey], &i );
iobuf_write(a, p, i );
}
Shalom-Salam,
Werner
More information about the Gnupg-users
mailing list