Get the private portion of subkeys

Alexander Kulbartsch alexander at kulbartsch.de
Sat Mar 30 20:23:57 CET 2024


Hi Damien!

Upfront some information you might probably already know.
When you "normally" create a new public/private key pair technically 
*two* key pairs are created.  Cross check with "gpg -K". One secret key 
(sec) for signing and certify marked [SC] and another one, a secret sub 
key (ssb) for encryption.  You can see this when you look into the 
.gnupg/private-keys-v1.d folder.  There are two new keys.

 From your "gpg -K" output I see, that you separated the your certify 
and signing key (and also created an authorization key [A]).  Your [S], 
[E] and [A] private keys are only on the card.  Your mounted/linked USB 
drive does *only* seem to hold the [C] key.  Otherwise it would not need 
the card and indicate this with the cards corner ">".

When you now export your key as you did with
     gpg --export-secret-keys --armor F72C652AE7564ECC > sec.asc
you could only export your private [C] key.  It is impossible to extract 
them from the from the smartcard.

When you call "gpg --list-packets sec.asc"
I assume you see something like "gnu-divert-to-card, ..." under your 
subkeys, but not under your primary [C] key. (This part you left out 
with ….)
Correct?


I hope this helps.
If you have any questions give us some more hints where (the above 
explanation) diverges from what you expect.


Best regards
             Alexander


On 30.03.24 17:20, Damien Cassou wrote:
> Thank you both for your answers. I would like to understand why
> restoring the backup doesn't restore my subkeys. On a fresh ~/.gnupg, I
> did:
> 
>    $ gpg --list-packets /media/mystick/key
>    gpg: keybox '/home/cassou/.gnupg/pubring.kbx' created
>    # off=0 ctb=94 tag=5 hlen=2 plen=134
>    :secret key packet:
>>    # off=136 ctb=b4 tag=13 hlen=2 plen=32
>    :user ID packet: "Damien Cassou <damien at cassou.me>"
>>    # off=974 ctb=9c tag=7 hlen=2 plen=134
>    :secret sub key packet:
>            version 4, algo 22, created 1531155780, expires 0
>            pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
>            pkey[1]: [263 bits]
>>            keyid: F36CF32DF9B09855
>> 
> The last key printed here is the one I would like to import
> back. Unfortunately, importing this file doesn't import subkeys:
> 
>    $ gpg --import-options restore --import /media/mystick/key
>    gpg: key F72C652AE7564ECC: secret key imported
>    gpg: Total number processed: 1
>    gpg:              unchanged: 1
>    gpg:       secret keys read: 1
>    gpg:   secret keys imported: 1
>    
>    $ gpg -K
>    gpg: /home/cassou/.gnupg/trustdb.gpg: trustdb created
>    /home/cassou/.gnupg/pubring.kbx
>    -------------------------------
>    sec   ed25519 2018-07-09 [C] [expired: 2023-07-08]
>          8E64FBE545A394F5D35CD202F72C652AE7564ECC
>    uid           [ expired] Damien Cassou <damien at cassou.me>
> 
> 
> Can someone explain why I don't get my subkeys back please?
> 
> Thank you
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x213E2CD3CABCF0B9.asc
Type: application/pgp-keys
Size: 681 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240330/89585be2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240330/89585be2/attachment-0001.sig>


More information about the Gnupg-users mailing list