export secret subkeys

[Peter Lebbing]

On 17/08/17 15:39, Dirk-Willem van Gulik wrote:
> # off=0 ctb=95 tag=5 hlen=3 plen=533
> :secret key packet:
> 	version 4, algo 1, created 1502976628, expires 0
> 	pkey[0]: [4096 bits]
> 	pkey[1]: [17 bits]
> 	gnu-dummy S2K, algo: 0, simple checksum, hash: 0
> 	protect IV: 
> 	keyid: 774BFCB80257A25B

Note "gnu-dummy S2K". This is an empty placeholder for the key material.
An OpenPGP secret key always contains the primary key, but this is
GnuPG's method to get away with not actually including the primary key
nonetheless.

"S2K" means "String to Key", and an S2K is a method that derives a
cryptographic key from a passphrase. The cryptographic key is
subsequently used to encrypt the secret key material (well, apart from
the fact that this is a dummy that doesn't actually do that).

And an OpenPGP secret key always contains the public key as well, which
/is/ included, in pkey[0] and pkey[1] (pkey -> public key).

> :secret sub key packet:
> 	version 4, algo 1, created 1502976632, expires 0
> 	pkey[0]: [4096 bits]
> 	pkey[1]: [17 bits]
> 	iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 1B6594BA5204BCCC
> 	protect count: 16777216 (224)
> 	protect IV:  a0 16 38 e5 6b a0 3c f0 16 f9 a4 17 c6 ba 14 a6
> 	skey[2]: [v4 protected]
> 	keyid: 11A28C9369E55B8C

And this is actually secret key material. First the public key again,
then the secret key in skey[2] (skey -> secret key). It is protected by
the "iter+salt" S2K.

This packet will be significantly larger than the earlier packet.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170817/6d30e017/attachment-0001.sig>