Unable to import Private Key
Guy Wyers
guy.wyers at gmail.com
Tue Dec 27 09:59:16 CET 2016
Thanks for the reply. At least I know where things stand now, which is not
a good place :-(
I guess this is another *fine* example of the principle that an
insufficiently tested DR arrangement, will always break down when you need
it.
I'm still puzzled about this partial export, however. I'm quite sure that I
made it using something like this:
$ gpg2 -a --export-secret-keys [identifier] > private_key.asc
Now the question as to what I used as identifier, I'm not sure. The most
likely option is that I used the email address used to create the key and
maybe a key identifier. I definitely have no recollection of using the
exclamation mark '!' you mention.
Could this be linked to using an earlier version of gpg? Or could it simply
be a bug? The installation is running on a Synology, using GnuPG included
in the SynoCommunity package (https://synocommunity.com/package/gnupg).
Anyway, this looks like water under the bridge.
Thanks for your help.
-Guy
On Mon, Dec 26, 2016 at 10:21 PM, Damien Goutte-Gattat <
dgouttegattat at incenp.org> wrote:
> On 12/26/2016 06:52 PM, Guy Wyers wrote:
>
>> - Can I somehow recover from this? I guess that, at least theoretically,
>> the public should be "derivable" from the private key?
>>
>
> The problem here is not that you are missing the public key (the public
> key *is* derivable from the private key, and GnuPG would automatically
> extract the public key upon importing the private key).
>
> The problem is that you are missing the secret *primary* key to which this
> secret subkey should be attached.
>
> If you do not have a backup of that primary key, I am not sure you will be
> able to recover.
>
> At least with GnuPG 2.1, it should be possible to re-attach the subkey to
> a new primary key (because GnuPG 2.1 allows to "create" a key from a
> pre-existing key if you know its keygrip), *but* the newly re-attached key
> would still have a different key creation time and thus a different key
> ID... meaning that it could not be used to decrypt messages encrypted to
> the original key.
>
>
> - How did I end up with this truncated export? As far as I remember -even
>> if it was long long time ago- I followed the standard instructions for
>> "storing my private key in a safe place".M
>>
>
> As far as I know, the only way to export a subkey only is to explicitly
> specify that subkey by its key ID with an appended '!', as in the following
> example:
>
> $ gpg2 --output backup.gpg --export-secret-keys '0xDECAFBAD!'
>
> Otherwise, GnuPG will always export the primary key and all its subkeys.
>
> What are those "standard instructions" you are referring to? If you were
> instructed to backup only your secret subkey instead of your entire private
> keyring, I am afraid you have been badly misled.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161227/e4665b81/attachment.html>
More information about the Gnupg-users
mailing list