What does --export-secret-subkeys do?

Werner Koch wk at gnupg.org
Thu Jul 8 15:23:01 CEST 2004

On Wed, 30 Jun 2004 22:42:04 -0400, James P Howard, said:

> What exactly happens when you use --export-secret-subkeys?  From
> what I understand, the master signing key is disabled in the new
> secret key ring, but I would like to know more about how this

Right, the private data of the primary key is not included in the
output.  Technically we use another protection algorithm to make
applications believe that the private key parts are there, just not
decodable.  Of course we don't put any actual data into it, just the
header to tell that it is protected using our special mode:

	    if( sk->protect.s2k.mode >= 1000 ) {
                /* These modes are not possible in OpenPGP, we use them
                   to implement our extensions, 101 can be seen as a
                   private/experimental extension (this is not
                   specified in rfc2440 but the same scheme is used
                   for all other algorithm identifiers) */
		iobuf_put(a, 101 ); 
		iobuf_put(a, sk->protect.s2k.hash_algo );
		iobuf_write(a, "GNU", 3 );
		iobuf_put(a, sk->protect.s2k.mode - 1000 );


    if( sk->protect.s2k.mode == 1001 )
        ; /* GnuPG extension - don't write a secret key at all */ 
    else if( sk->is_protected && sk->version >= 4 ) {
        /* The secret key is protected - write it out as it is */
	byte *p;
	assert( mpi_is_opaque( sk->skey[npkey] ) );
	p = mpi_get_opaque( sk->skey[npkey], &i );
	iobuf_write(a, p, i );



More information about the Gnupg-users mailing list