106

Background: My boss has tried exporting an ASC key to me with public and private parts but whenever I get the file the private part never loads up and it won't decrypt any files.

We have tried Exporting the ASC Key using:

  • Windows Application Kleopatra 2.1 (included in gpg4win)

  • Windows Application GNU Privacy Assistant (included in gpg4win) 

            Error: "Decryption failed. Secret Key Not available."

How do you properly export a secret or private asc key to decrypt gpg files?

vhs
  • 9,316
  • 3
  • 66
  • 70
Brian McCarthy
  • 4,658
  • 16
  • 49
  • 66

7 Answers7

206

You can export the private key with the command-line tool from GPG. It works on the Windows-shell. Use the following command:

gpg --export-secret-keys

A normal export with --export will not include any private keys, therefore you have to use --export-secret-keys.

Edit:

To sum up the information given in my comments, this is the command that allows you to export a specific key with the ID 1234ABCD to the file secret.asc:

gpg --export-secret-keys --armor 1234ABCD > secret.asc

You can find the ID that you need using the following command. The ID is the second part of the second column:

gpg --list-keys

To Export just 1 specific secret key instead of all of them:

gpg --export-secret-keys keyIDNumber > exportedKeyFilename.asc

keyIDNumber is the number of the key id for the desired key you are trying to export.

erb
  • 14,503
  • 5
  • 30
  • 38
Demento
  • 4,039
  • 3
  • 26
  • 36
  • 4
    @Brian: This will dump the key to the console. If you want to store it in a file, you can redirect the output to an arbitrary filename ("gpg --export-secret-keys > secret.asc"). – Demento Apr 08 '11 at 15:19
  • 6
    @Brian: This gives you the output in ASCII and not in binary. If you keep it in a file, it doesn't really matter. But once you want to pass it around any other way, the ASCII version is much easier to handle (sending it inline in an email e.g.) – Demento Apr 13 '11 at 12:32
  • 8
    Maybe you want to carry your secret key to another location. In this case you should encrypt the exported data: "gpg --export-secret-keys keyIDNumber | gpg -c >encrypted" decrypt it with "gpg -o unencrypted encrypted". – rockdaboot Jun 26 '14 at 13:25
  • Doesn't the first example do the same thing as the second one? I mean, 1234ABCD seems to refer to a single secret key, does it not? However, you imply that it encompasses all of them, somehow. Also, do we get the key ID from the pub or sub row? – Brōtsyorfuzthrāx Oct 02 '15 at 13:45
  • 3
    Keys exported from GnuPG remain encrypted (which is why you don't need to enter the private key passphrase), so there's really no need to encrypt it again. – Ferry Boender Feb 26 '17 at 08:57
  • I'm getting `error receiving key from agent: Permission denied - skipped` on `--export-secret-keys -a [myid]` – M. Volf Nov 24 '18 at 18:59
  • According to `man gpg` use of the option `--armor` with `--export-secret-keys` is intended for creating paper backups and "presents a security risk" if sent over an insecure channel. – vhs Nov 08 '19 at 07:20
  • 1
    @FerryBoender [Are you sure about that](https://www.jabberwocky.com/software/paperkey/)? – vhs Nov 08 '19 at 08:42
  • 1
    According to paper copy: > If your key has a passphrase on it (i.e. is encrypted), the paper copy is similarly encrypted Although I have yet to find this in the official GPG doc. Also opened an issue on a gpg yubikey guide https://github.com/drduh/YubiKey-Guide/issues/195 – rudolph9 Jun 23 '20 at 21:57
  • The difference between whether has '--armor' option is whether the output is in ascii format. The output is in readable ascii format if '--armor' is added. – Kyle Zhang Jun 28 '21 at 15:58
34

All the above replies are correct, but might be missing one crucial step, you need to edit the imported key and "ultimately trust" that key

gpg --edit-key (keyIDNumber)
gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

and select 5 to enable that imported private key as one of your keys

higuita
  • 2,127
  • 20
  • 25
21

See the treatment by Dark Otter

https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/

If the site is down use reference the archive.org backup:

https://web.archive.org/web/20170518155052/https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/

which includes a reasonably secure way to transfer keys. You could put that recommendation into shell-scripts shown below for repeated use.

First get the KEYID you want from the list shown by

$ gpg -K

From the resulting list note the KEYID (the 8 hexadecimals following sec) you need for transfer.

Then envoke the tested shell scipts "export_private_key" on the first account and generate your pubkey.gpg + keys.asc. Subsequently invoke on the second account "import_private_key". Here is their content shown with cat (copy & paste content):

$ cat export_private_key 
gpg -K
echo "select private key"
read KEYID
gpg --output pubkey.gpg --export $KEYID
echo REMEMBER THE COMING PASS-PHRASE
gpg --output - --export-secret-key $KEYID | \
   cat pubkey.gpg - | \
   gpg --armor --output keys.asc --symmetric --cipher-algo AES256
ls -l pubkey.gpg keys.asc
####################  E X P O R T _ P R I V A T E _ K E Y  #####################

Now tranfer by some means the "pubkey.gpg" (if needed) and the private "keys.asc" to the second account and envoke the below-shown program.

$ cat import_private_key 
gpg --no-use-agent --output - keys.asc | gpg --import
###################  I M P O R T _ P R I V A T E _ K E Y  ######################

In Otter's spirit "And that, should be, that".

vhs
  • 9,316
  • 3
  • 66
  • 70
Wolfram J
  • 311
  • 2
  • 5
10

I think you had not yet import the private key as the message error said, To import public/private key from gnupg:

gpg --import mypub_key
gpg --allow-secret-key-import --import myprv_key
SIFE
  • 5,567
  • 7
  • 32
  • 46
  • i was asking about exporting from a computer that works... you can only import the key if its on a local server. – Brian McCarthy Apr 12 '11 at 21:04
  • @Brian McCarthy: What are you trying to say? – SIFE Apr 12 '11 at 23:02
  • Do we really need to import the public key if the private one has been imported already? As I understand, a public key can be generated out of a private one anything. – farhany Jul 10 '13 at 16:54
  • @farhany I think yes, because you will need it when you sign your message. – SIFE Sep 04 '13 at 05:01
6

this ended up working for me: 

   gpg -a --export-secret-keys > exportedKeyFilename.asc

you can name keyfilename.asc by any name as long as you keep on the .asc extension.
this command copies all secret-keys on a user's computer to keyfilename.asc in the working directory of where the command was called.

To Export just 1 specific secret key instead of all of them:

   gpg -a --export-secret-keys keyIDNumber > exportedKeyFilename.asc

keyIDNumber is the number of the key id for the desired key you are trying to export.

Natim
  • 17,274
  • 23
  • 92
  • 150
Brian McCarthy
  • 4,658
  • 16
  • 49
  • 66
  • 1
    You can list all available keys with "--list-keys". The second column will contain IDs like "2048g/1234ABCD". Find the desired key and export it with "gpg --export-secret-keys 1234ABCD > secret.asc", of course changing 1234ABCD with the correct ID. You can also add the "-a" flag. It writes the output with ASCII characters, just in case the binary output is causing trouble. – Demento Apr 08 '11 at 15:27
  • @demento, thanks for the additional feedback... ill add that to the answer – Brian McCarthy Apr 12 '11 at 20:56
  • 2
    you still need the -a if you really want asc – RichieHH Oct 14 '14 at 20:41
  • How do you then import them to another computer? – Natim May 11 '15 at 10:30
  • @Natim I imagine you take `exportedKeyFilename.asc` to the other computer and then do `gpg --allow-secret-key-import --import exportedKeyFilename.asc` in the directory with the `.asc` file. See: http://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another – Brōtsyorfuzthrāx Oct 02 '15 at 13:51
  • You may want to export using --cipher-algo AES256 --symmetric. See http://superuser.com/questions/633715/how-do-i-fix-warning-message-was-not-integrity-protected-when-using-gpg-symme – NuSkooler Oct 15 '15 at 19:14
5

Similar to @Wolfram J's answer, here is a method to encrypt your private key with a passphrase:

gpg --output - --armor --export $KEYID | \
    gpg --output private_key.asc --armor --symmetric --cipher-algo AES256

And a corresponding method to decrypt:

gpg private_key.asc
Mateen Ulhaq
  • 24,552
  • 19
  • 101
  • 135
  • Unfortunately, this doesn't work if your key was passphrased initially. I filed an issue about it: https://github.com/open-keychain/open-keychain/issues/2723 – bam Aug 02 '21 at 17:29
5

1.Export a Secret Key (this is what your boss should have done for you)

gpg --export-secret-keys yourKeyName > privateKey.asc

2.Import Secret Key (import your privateKey)

gpg --import privateKey.asc

3.Not done yet, you still need to ultimately trust a key. You will need to make sure that you also ultimately trust a key.

gpg --edit-key yourKeyName

Enter trust, 5, y, and then quit

Source: https://medium.com/@GalarnykMichael/public-key-asymmetric-cryptography-using-gpg-5a8d914c9bca

Michael James Kali Galarnyk
  • 3,353
  • 26
  • 23