57

Are the exported private keys gotten by executing gpg --export-secret-keys still encrypted and protected by their passphrase? This seems to be the case but I can't find anywhere that explicitly confirms this.

If the exported keys are still encrypted then is there anyway to get the pure, unencrypted private key (like you can for the public segment)?

Matuku
  • 919
  • 2
  • 7
  • 8
  • Why do you want to do this? What do you intend to do with an *unencrypted* private key? – Keith Thompson Apr 02 '12 at 21:38
  • 6
    Nothing practical, so there's not security risk; I'm just trying to get a feel for the mathematics behind them so getting the pure keys could be helpful – Matuku Apr 02 '12 at 22:21

3 Answers3

30

Exported secret keys are encrypted by default, however --export-options export-reset-subkey-passwd will produce an unprotected export:

When using the --export-secret-subkeys command, this option resets the passphrases for all exported subkeys to empty. This is useful when the exported subkey is to be used on an unattended machine where a passphrase doesn't necessarily make sense. Defaults to no.

mshroyer
  • 1,928
  • 17
  • 14
  • 3
    Is there any version of this that works for the `--export-secret-keys` command rather than just `--export-secret-subkeys`? – Jack O'Connor Sep 28 '15 at 15:08
  • 1
    Seems like the export-option has been removed since GnuPG 2.1. I am running 2.2.35 and getting an error: gpg: unknown option 'export-reset-subkey-passwd' – comfreak May 29 '22 at 13:51
7

Are exported secret keys still protected by their passphrase? You could find the answer to this so easily by exporting and then importing a secret key.

GnuPG has no simple way to export a private key in the way you describe. I can only hope you have a good reason for wanting to do this, and that you're aware of how dangerous it is to let the bits and bytes of an unprotected private key touch a disk. That said, the only option I see is to remove the passphrase before exporting...

gpg --edit-key KEYID
> passwd
> *(Press Enter twice, i.e., use a blank passphrase)*
> save

PS: This should be moved to Superuser; it's off-topic here.

Community
  • 1
  • 1
rsaw
  • 3,315
  • 2
  • 28
  • 30
  • 3
    I did export and then import the secret key but couldn't rule out that the information was being stored somewhere within gpgs config files; I attempted to purge all of it but it seems to be tied to some other system files. – Matuku Apr 02 '12 at 22:23
  • @Matuku: Ah. I can't speak about gpg in Windows/Mac from experience, but the keys should be stored in some per-user folder, e.g. `C:\Users\YOURUSERNAME` in Windows. In linux the keyrings are stored in `~/.gnupg/` so it's extremely easy to play around with this (even easier to create a new user and import the keys from there). – rsaw Apr 04 '12 at 05:43
2

Yes secret keys are encrypted after exporting. Once you've imported the private key file via the following command:

gpg --import <name of your private key>.pgp

It will prompt you to enter the correct passphrase (same passphrase used to create the private key in the first place).

shalamus
  • 2,192
  • 1
  • 12
  • 8