export secret subkeys

Damien Goutte-Gattat dgouttegattat at incenp.org
Thu Aug 17 16:05:57 CEST 2017

On 08/17/2017 03:39 PM, Dirk-Willem van Gulik wrote:
> This had me believe that export-secret-subkeys would just export a
> subkey.
> Instead the output of --list-packets (and the file size) suggests
> that both the master and the subkey are exported.

Seemingly, yes. But actually, when using --export-secret-subkeys, the 
master private key is not really exported. The command does produce a 
"secret key packet" corresponding to the master key, but this packet 
does not actually contain the private key material.

Look for the "gnu-dummy S2K" line in the details of the secret key packet:

> :secret key packet:
>         version 4, algo 1, created 1502976628, expires 0
>         pkey[0]: [4096 bits]
>         pkey[1]: [17 bits]
>         gnu-dummy S2K, algo: 0, simple checksum, hash: 0

It's the clue indicating that this packet is actually unusable. And 
that's what the man page means when it says:

"The second form of the command has the special property to render the 
secret part of the primary key useless."

The purpose of this command is to create a situation where only the 
private subkeys are available on the machine, while the master private 
key is stored offline.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170817/f3165bde/attachment.sig>

More information about the Gnupg-users mailing list