Is --export-ssh-key functionality possible with GnuPG 2.0?

Stephan Beck stebe at
Sat Nov 26 22:04:00 CET 2016

Hi Teemu,

Teemu Likonen:
> Stephan Beck [2016-11-24 16:51:00Z] wrote:
>> A1) Install the monkeysphere package (1) that includes openpgp2ssh tool
>> A2) Export the secret subkey you'd like to use for ssh authentication
>> purposes and pipe it through openpgp2ssh
>> gpg2 --export-secret-subkeys \
>>   --export-options export-reset-subkey-passwd [keyID!] | \
>>   openpgp2ssh [keyID] > gpg-auth-keyfile
> Not too pretty but it works. Thank you.
> Since it creates a separate key which is not tied to my secring.gpg the
> case left me wondering what will happen when I upgrade to gpg 2.1 in the
> future. I mean I'll run gpg 2.1 someday and it will convert my
> secring.gpg to some KEYGRIP.key files, including my A-capable key. Will
> the authentication key be the same and technically compatible with the
> key that I just created with openpgp2ssh and ssh-add commands?
> Just wondering. It's not that important. Some manual work is probably
> necessary anyway at the first upgrade.

I have compiled and installed gnupg-2.1.16 into the home directory to
study it but nevertheless cannot really use it at the moment as I still
have 2.0.x installed. I read that de-installing 2.0.x would rise
problems, and for the smart card type I currently use, according to the
manufacturer, it's better to stick to 2.0.x. But I'm curious! I consider
installing and using it on another machine.

That being said, 2.1. allows for the merging of secret keys, so I guess
it's possible to keep on using your secret A-capable (sub)key.
But I don't know for sure whether the conversion process of the
secring.gpg mastered by gpg 2.1. will change any
(mathematical/technical) properties of the key(s) (as I haven't done it
for now) or not. In any case, it's good to back up the secret key (and
the public part of the secret key) before piping it through the
openpgp2ssh monkeysphere tool.
I read that gpg 2.1 only touches secring.gpg once (for conversion) and
never again. So if you re-import it to secring.gpg after that moment,
maybe you could still use it with an installed 1.4.x version and then it
really is the SAME key.
Unfortunately I cannot tell you YES or NO for sure, but maybe a list
fellow has already went through that process and is willing to give his
2 cent.



More information about the Gnupg-users mailing list