export secret subkeys
Damien Goutte-Gattat
dgouttegattat at incenp.org
Thu Aug 17 16:05:57 CEST 2017
On 08/17/2017 03:39 PM, Dirk-Willem van Gulik wrote:
> This had me believe that export-secret-subkeys would just export a
> subkey.
>
> Instead the output of --list-packets (and the file size) suggests
> that both the master and the subkey are exported.
Seemingly, yes. But actually, when using --export-secret-subkeys, the
master private key is not really exported. The command does produce a
"secret key packet" corresponding to the master key, but this packet
does not actually contain the private key material.
Look for the "gnu-dummy S2K" line in the details of the secret key packet:
> :secret key packet:
> version 4, algo 1, created 1502976628, expires 0
> pkey[0]: [4096 bits]
> pkey[1]: [17 bits]
> gnu-dummy S2K, algo: 0, simple checksum, hash: 0
It's the clue indicating that this packet is actually unusable. And
that's what the man page means when it says:
"The second form of the command has the special property to render the
secret part of the primary key useless."
The purpose of this command is to create a situation where only the
private subkeys are available on the machine, while the master private
key is stored offline.
Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170817/f3165bde/attachment.sig>
More information about the Gnupg-users
mailing list