Is --export-ssh-key functionality possible with GnuPG 2.0?

Peter Lebbing peter at
Thu Nov 24 20:56:20 CET 2016

Stephan, thanks for helping out! I think I can improve a bit on one part
of it, though.

On 24/11/16 17:51, Stephan Beck wrote:
> A2) Export the secret subkey you'd like to use for ssh authentication
> purposes and pipe it through openpgp2ssh
> gpg2 --export-secret-subkeys \
>   --export-options export-reset-subkey-passwd [keyID!] | \
>   openpgp2ssh [keyID] > gpg-auth-keyfile
> A3) Set correct permissions
> chmod 0600 gpg-auth-keyfile

This leaves open a window where the file with your private key might be

The thing I usually do is this:

$ mkdir safe
$ chmod 700 safe
$ cd safe
$ [... do your stuff ...]
$ cd ..
$ rm -rf safe

The directory permissions prevent anyone from getting a handle for your
file. Even if the file is world-readable, nobody can get towards the
file. This is not true if you are on an NFS share, though!

The thing I would expect to actually be in the textbooks is a variation of:

$ OLD_UMASK=$(umask)
$ umask 0077
$ [... do your stuff ...]
$ umask $OLD_UMASK

The umask 0077 will create any new files with all access rights cleared
for group and world. This is your A2 and A3 folded into one, safely,
without a gap.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list