Export Primary Secret Key With All Subkeys
To transport the key out from GnuPG keyring for careful purposes like logistics (switching computers) and backup, you will need to export the primary secret key alongside with all its subkeys. This section guides you on how to export the said keys.
---WARNING---
You must protect the exported key at all cost. Anyone has this key can do anything just like you.
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Export Primary Secret Key With All Sub-Keys
Once done, it's time to do the key export.
Determine Your Intention
Before you start, you should determine your intention of the exported key. There are only these few reasons to do such an export:
- Export from transferring between PC to a New PC (e.g. Newly bought laptop)
- Backing up your key.
Otherwise, refrain from exporting the key as it may hurt you.
Obtain Your Primary Key ID
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]
You want the long string under the [C
] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
.
Export Key
Now use --export-secret-keys <ID>
argument to create the secret key file. Ensure you redirect the output into a file.
GPG Binary Format
The common file extension would be .gpg
. Here's the command:
$ gpg --export-secret-keys <ID> > /path/to/secret-key.gpg
You should get a binary file named secret-key.asc
in /path/to
.
TEXT Based Format
The common file extension would be .asc
. If you want to export in a text-only format, append --armor
argument in it. Here's the command:
$ gpg --armor --export-secret-keys <ID> > /path/to/secret-key.asc
You should get a text readable format like:
-----BEGIN PGP PRIVATE KEY BLOCK-----
... key data ...
-----END PGP PRIVATE KEY BLOCK-----
Text-only format is suitable for text-only storage, something like database.
Consume The Key File Immediately
As a good practice: DO NOT STORE the local key file. Consume it immediately like backing it up or whatever you intended to do **NOW**. Protect this key file at all cost throughout the consumption.
Delete The Key File
Once you're done with consumption, DELETE ALL local key copy file. Make sure you verify all the deletion thoroughly to avoid unnecessary identity disaster.
That's all about exporting secret keys with all sub-keys in GnuPG.