export secret subkeys
dgouttegattat at incenp.org
Thu Aug 17 16:05:57 CEST 2017
On 08/17/2017 03:39 PM, Dirk-Willem van Gulik wrote:
> This had me believe that export-secret-subkeys would just export a
> Instead the output of --list-packets (and the file size) suggests
> that both the master and the subkey are exported.
Seemingly, yes. But actually, when using --export-secret-subkeys, the
master private key is not really exported. The command does produce a
"secret key packet" corresponding to the master key, but this packet
does not actually contain the private key material.
Look for the "gnu-dummy S2K" line in the details of the secret key packet:
> :secret key packet:
> version 4, algo 1, created 1502976628, expires 0
> pkey: [4096 bits]
> pkey: [17 bits]
> gnu-dummy S2K, algo: 0, simple checksum, hash: 0
It's the clue indicating that this packet is actually unusable. And
that's what the man page means when it says:
"The second form of the command has the special property to render the
secret part of the primary key useless."
The purpose of this command is to create a situation where only the
private subkeys are available on the machine, while the master private
key is stored offline.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users