Get the private portion of subkeys
Alexander Kulbartsch
alexander at kulbartsch.de
Sat Mar 30 20:23:57 CET 2024
Hi Damien!
Upfront some information you might probably already know.
When you "normally" create a new public/private key pair technically
*two* key pairs are created. Cross check with "gpg -K". One secret key
(sec) for signing and certify marked [SC] and another one, a secret sub
key (ssb) for encryption. You can see this when you look into the
.gnupg/private-keys-v1.d folder. There are two new keys.
From your "gpg -K" output I see, that you separated the your certify
and signing key (and also created an authorization key [A]). Your [S],
[E] and [A] private keys are only on the card. Your mounted/linked USB
drive does *only* seem to hold the [C] key. Otherwise it would not need
the card and indicate this with the cards corner ">".
When you now export your key as you did with
gpg --export-secret-keys --armor F72C652AE7564ECC > sec.asc
you could only export your private [C] key. It is impossible to extract
them from the from the smartcard.
When you call "gpg --list-packets sec.asc"
I assume you see something like "gnu-divert-to-card, ..." under your
subkeys, but not under your primary [C] key. (This part you left out
with ….)
Correct?
I hope this helps.
If you have any questions give us some more hints where (the above
explanation) diverges from what you expect.
Best regards
Alexander
On 30.03.24 17:20, Damien Cassou wrote:
> Thank you both for your answers. I would like to understand why
> restoring the backup doesn't restore my subkeys. On a fresh ~/.gnupg, I
> did:
>
> $ gpg --list-packets /media/mystick/key
> gpg: keybox '/home/cassou/.gnupg/pubring.kbx' created
> # off=0 ctb=94 tag=5 hlen=2 plen=134
> :secret key packet:
> …
> # off=136 ctb=b4 tag=13 hlen=2 plen=32
> :user ID packet: "Damien Cassou <damien at cassou.me>"
> …
> # off=974 ctb=9c tag=7 hlen=2 plen=134
> :secret sub key packet:
> version 4, algo 22, created 1531155780, expires 0
> pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
> pkey[1]: [263 bits]
> …
> keyid: F36CF32DF9B09855
> …
>
> The last key printed here is the one I would like to import
> back. Unfortunately, importing this file doesn't import subkeys:
>
> $ gpg --import-options restore --import /media/mystick/key
> gpg: key F72C652AE7564ECC: secret key imported
> gpg: Total number processed: 1
> gpg: unchanged: 1
> gpg: secret keys read: 1
> gpg: secret keys imported: 1
>
> $ gpg -K
> gpg: /home/cassou/.gnupg/trustdb.gpg: trustdb created
> /home/cassou/.gnupg/pubring.kbx
> -------------------------------
> sec ed25519 2018-07-09 [C] [expired: 2023-07-08]
> 8E64FBE545A394F5D35CD202F72C652AE7564ECC
> uid [ expired] Damien Cassou <damien at cassou.me>
>
>
> Can someone explain why I don't get my subkeys back please?
>
> Thank you
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x213E2CD3CABCF0B9.asc
Type: application/pgp-keys
Size: 681 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240330/89585be2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240330/89585be2/attachment-0001.sig>
More information about the Gnupg-users
mailing list