In time where you want to share your identity while you only want some specific keys, you will need to export the primary secret key alongside with the specific its subkeys. This section guides you on how to export the said keys.
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Once done, it's time to do the key export.
We start off by obtaining your primary key ID and the targeted sub-key. This is by using the following command and find your key:
gpg --list-secret-keys --keyid-format LONG
Example:
$ gpg --list-secret-keys --keyid-format LONG
...
---------------------------
sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith <john.smith@company.com>
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb rsa4096/66F2E45747AB2C90 2020-01-10 [S] [expires: 2022-01-09]
ssb rsa4096/9D485C5208D0859F 2020-01-10 [E] [expires: 2022-01-09]
ssb rsa4096/90939A7DBBFC226D 2020-01-10 [A] [expires: 2022-01-09]
ssb ed25519/16972F736B59F874 2020-01-10 [S] [expires: 2022-01-09]
ssb ed25519/D22D6E1FD575E506 2020-01-10 [A] [expires: 2022-01-09]
ssb cv25519/25252612A403B41C 2020-01-10 [E] [expires: 2022-01-09]
In the example above,
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
. Make sure this is the primary key you wanted to export.66F2E45747AB2C90
, 9D485C5208D0859F
, 90939A7DBBFC226D
, 16972F736B59F874
, D22D6E1FD575E506
and 25252612A403B41C
.Now use --export <subkey-ID>!
argument to create the public key file. Ensure you redirect the output into a file.
GPG Binary Format
The common file extension would be .gpg
. Here's the command:
$ gpg --export <Subkey-ID>! [<Subkey-ID>!] > /path/to/public-key-sub.gpg
You should get a binary file named public-key.asc
in /path/to
. Please note that the exclamation mark is important to be included. Hence, based on the example above, the command should like this:
$ gpg --export 90939A7DBBFC226D! 66F2E45747AB2C90! > /path/to/public-key-sub.gpg
TEXT Based Format
The common file extension would be .asc
. If you want to export in a text-only format, append --armor
argument in it. Here's the command:
$ gpg --armor --export <Subkey-ID>! [<Subkey-ID>!] > /path/to/public-key.asc
Please note that the exclamation mark is important to be included. Hence, based on the example above, the command should like this:
$ gpg --armor --export 90939A7DBBFC226D! 66F2E45747AB2C90! > /path/to/public-key-sub.asc
You should get a text readable format like:
-----BEGIN PGP PRIVATE KEY BLOCK-----
... key data ...
-----END PGP PRIVATE KEY BLOCK-----
Text-only format is suitable for text-only storage, something like database.
Public key safe for consumption and local storage. In fact, you should distribute your public key to the public especially your trustees to sign and return it back to you. Keep in mind that anything you do with the primary key (e.g. update, delete, etc.) will alter the public data so you will need to update it consistently.
That's all about exporting primary public key with specific sub-key in GnuPG.