export secret subkeys

Dirk-Willem van Gulik dirkx at webweaving.org
Thu Aug 17 15:39:28 CEST 2017 

I am trying to understand the man page with regards to secret subkey exports. 

      --export-secret-subkeys
              Same  as --export, but exports the secret keys instead.  The exported keys are written to STDOUT or to the file given with option --output.  This command is often
              used along with the option --armor to allow easy printing of the key for paper backup; however the external tool paperkey does a better job for  creating  backups
              on paper.  Note that exporting a secret key can be a security risk if the exported keys are send over an insecure channel.
		..

This had me believe that export-secret-subkeys would just export a subkey.

Instead the output of --list-packets (and the file size) suggests that both the master and the subkey are exported.

Output below - followed by a script to reproduce.

Or am I misreading this ?

With kind regards,

Dw.

# off=0 ctb=95 tag=5 hlen=3 plen=533
:secret key packet:
	version 4, algo 1, created 1502976628, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	gnu-dummy S2K, algo: 0, simple checksum, hash: 0
	protect IV: 
	keyid: 774BFCB80257A25B
# off=536 ctb=b4 tag=13 hlen=2 plen=30
:user ID packet: "Tess von Testy <test at test.com>"
# off=568 ctb=89 tag=2 hlen=3 plen=595
:signature packet: algo 1, keyid 774BFCB80257A25B
	version 4, created 1502976628, md5len 0, sigclass 0x13
	digest algo 10, begin of digest f6 39
	hashed subpkt 33 len 21 (issuer fpr v4 C1CC37B73A5DA5263699A091774BFCB80257A25B)
	hashed subpkt 2 len 4 (sig created 2017-08-17)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 9 len 4 (key expires after 1y0d0h0m)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
	hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 1 0)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 774BFCB80257A25B)
	data: [4095 bits]
# off=1166 ctb=9d tag=7 hlen=3 plen=1862
:secret sub key packet:
	version 4, algo 1, created 1502976632, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 1B6594BA5204BCCC
	protect count: 16777216 (224)
	protect IV:  a0 16 38 e5 6b a0 3c f0 16 f9 a4 17 c6 ba 14 a6
	skey[2]: [v4 protected]
	keyid: 11A28C9369E55B8C
# off=3031 ctb=89 tag=2 hlen=3 plen=572
:signature packet: algo 1, keyid 774BFCB80257A25B
	version 4, created 1502976632, md5len 0, sigclass 0x18
	digest algo 10, begin of digest 46 b0
	hashed subpkt 33 len 21 (issuer fpr v4 C1CC37B73A5DA5263699A091774BFCB80257A25B)
	hashed subpkt 2 len 4 (sig created 2017-08-17)
	hashed subpkt 27 len 1 (key flags: 0C)
	hashed subpkt 9 len 4 (key expires after 120d0h0m)
	subpkt 16 len 8 (issuer key ID 774BFCB80257A25B)
	data: [4094 bits]





#/bin/sh
set -e
set -x

TMPDIR=${TMPDIR:-/tmp}
VOLNAME=${VOLNAME:-gnupg.tmp.$$}
TMPSTORE=${TMPDIR}/${VOLNAME}
GNUPGHOME=/Volumes/${VOLNAME}

FIRST="Tess"
LAST="von Testy"
MOI="${FIRST} ${LAST} <test at test.com>"
PASSWD=12345678
NEWPIN=123456
RESET=12345678
NEWMASTER=12345678
OLDMASTER=12345678

PGP=/usr/local/bin/gpg2
SM=/usr/local/bin/gpgsm
PRESET=/usr/local/libexec/gpg-preset-passphrase

SIZE=5M

export RANDFILE=~/.openssl.rand.state

export DAYS=365
export SUBDAYS=120

killall scdaemon gpg-agent || echo Already dead
killall scdaemon gpg-agent || echo Already dead

if test -f /usr/bin/hdiutil; then
	openssl rand -base64 128 |\
       		/usr/bin/hdiutil hdiutil create -attach -stdinpass -quiet \
       		-encryption -size $SIZE -fs HFS+ \
       		-volname ${VOLNAME} ${TMPSTORE} 
	rm -f ${TMPSTORE}.dmg
ME}
else
	crypted_luks 5M

	GNUPGHOME=${TMPSTORE}
	mkdir -p ${GNUPGHOME}
	chmod 700 ${GNUPGHOME}
fi

(
set -e
export GNUPGHOME 
cd $GNUPGHOME

cat > ${GNUPGHOME}/gpg.conf <<EOM
use-agent 
pinentry-mode loopback
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB ZIP Uncompressed

debug-level guru
log-file /tmp/sc.log
EOM

cat > ${GNUPGHOME}/gpg-agent.conf <<EOM
# Bit annoying we need this - despite no user interaction.
pinentry-program /usr/bin/pinentry-curses

debug-quick-random
allow-preset-passphrase
allow-loopback-pinentry
default-cache-ttl 300
max-cache-ttl 300

debug-level guru
log-file /tmp/sc.log
EOM

cat > ${GNUPGHOME}/scdaemon.conf <<EOM
debug-level guru
log-file /tmp/sc.log
EOM

# sign or cert (revoc?)
#
${PGP} --verbose --homedir ${GNUPGHOME} \
	--quick-generate-key \
	--batch --passphrase "${PASSWD}" \
	"${MOI}" rsa4096 sign ${DAYS}

IFS=:
set $( ${PGP} --homedir ${GNUPGHOME} --list-secret-keys --with-colons | grep ^fpr: )

FPR=${10}
LEN=$(/bin/echo -n $FPR | wc -c)
if [ $LEN -ne 40 ]; then
	echo Generation failed, FPR not 40 bytes.
	exit 1
fi

set $( ${PGP} --homedir ${GNUPGHOME} --with-keygrip --list-secret-keys --with-colons | grep ^grp: )
KEYGRIP=${10}


${PGP} --homedir ${GNUPGHOME} \
       --quick-add-key \
       --batch --passphrase "${PASSWD}" \
	$FPR rsa4096 encr $SUBDAYS

${PGP}  --homedir ${GNUPGHOME} \
	--batch --passphrase "${PASSWD}" \
	--export-secret-subkeys $FPR \
		> sub-enc.sec

cat sub-enc.sec | gpg --list-packets 
#.. snip other unit tests
)

More information about the Gnupg-users mailing list