Export Primary Secret Key With Specific Subkey
To transport the key out from GnuPG keyring for careful purposes like logistics (switching computers) or backup, while you only want some specific keys, you will need to export the primary secret key alongside with the specific its subkeys. This section guides you on how to export the said keys.
---WARNING---You must protect the exported key at all cost. Anyone has this key can do anything just like you.Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascExport Primary Secret Key With Specific Sub-Keys
Once done, it's time to do the key export.
Determine Your Intention
Before you start, you should determine your intention of the exported key. There are only these few reasons to do such an export:
- Export from transferring between PC to a New PC (e.g. Newly bought laptop)
- Backing up your key.
Otherwise, refrain from exporting the key as it may hurt you.
Identify Your Primary Key ID and the targeted Sub-Key
We start off by obtaining your primary key ID and the targeted sub-key. This is by using the following command and find your key:
gpg --list-secret-keys --keyid-format LONGExample:
$ gpg --list-secret-keys --keyid-format LONG...---------------------------sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096/66F2E45747AB2C90 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096/9D485C5208D0859F 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096/90939A7DBBFC226D 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519/16972F736B59F874 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519/D22D6E1FD575E506 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519/25252612A403B41C 2020-01-10 [E] [expires: 2022-01-09]In the example above,
- The primary key ID is:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to export. - the sub-keys are:
66F2E45747AB2C90,9D485C5208D0859F,90939A7DBBFC226D,16972F736B59F874,D22D6E1FD575E506and25252612A403B41C.
Export Key
Now use --export-secret-keys <subkey-ID>! argument to create the secret key file. Ensure you redirect the output into a file.
---WARNING---KEEP IN MIND THAT YOUR MASTER SECRET KEY IS STILL INCLUDED in the exported file.GPG Binary Format
The common file extension would be .gpg. Here's the command:
$ gpg --export-secret-keys <Subkey-ID>! [<Subkey-ID>!] > /path/to/secret-key-sub.gpgYou should get a binary file named secret-key.asc in /path/to. Please note that the exclamation mark is important to be included. Hence, based on the example above, the command should like this:
$ gpg --export-secret-keys 90939A7DBBFC226D! 66F2E45747AB2C90! > /path/to/secret-key-sub.gpgTEXT Based Format
The common file extension would be .asc. If you want to export in a text-only format, append --armor argument in it. Here's the command:
$ gpg --armor --export-secret-keys <Subkey-ID>! [<Subkey-ID>!] > /path/to/secret-key.ascPlease note that the exclamation mark is important to be included. Hence, based on the example above, the command should like this:
$ gpg --armor --export-secret-keys 90939A7DBBFC226D! 66F2E45747AB2C90! > /path/to/secret-key-sub.ascYou should get a text readable format like:
-----BEGIN PGP PRIVATE KEY BLOCK-----... key data ...-----END PGP PRIVATE KEY BLOCK-----Text-only format is suitable for text-only storage, something like database.
Consume The Key File Immediately
As a good practice: DO NOT STORE the local key file. Consume it immediately like backing it up or whatever you intended to do **NOW**. Protect this key file at all cost throughout the consumption.
Delete The Key File
Once you're done with consumption, DELETE ALL local key copy file. Make sure you verify all the deletion thoroughly to avoid unnecessary identity disaster.
That's all about exporting secret keys with all sub-keys in GnuPG.