-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gpg --armor --export-secret-key username@email
still outputs a private key
#415
Comments
I found issue #410 that looks very similar, but the replys wore not very satisfying. If it's a stub, and not the actual private key, then why is the output:
And not, I don't know |
I think a good test is:
|
I hope the "stub"s are three files in the I can:
But, I have a feeling it will still output a private key. |
I'm no security guru so please take this with several kilograms of salt. I think of it like this. Ignore the YubiKey for the moment. Assume you've generated a GnuPG key-pair on system A and you want to migrate everything to system B. You're going to do something like this:
Assuming you set a passphrase when you generated the key-pair, you'll be prompted to enter it in the third command on each system.
If you repeat this same sequence when the private keys are stored on your YubiKey, you won't get prompted for the passphrase.
I take that to mean GnuPG's authors thought there was nothing being written to the More to the point, when the private keys are stored on the YubiKey, the third command on system B produces this:
That's a sort of "you can't get there from here" message which I take to mean that, whatever is in that If I follow the instructions:
then the expected Going back a step, if I do this:
I interpret the "3" as marrying-up with the three If you run Thinking about what might have been in the minds of GnuPG's authors, if I assume that the local keychain only contains stubs then what should All things considered, I think I'd rather get the "run Does that help at all? |
It helps a lot actually, thank you sir. 🙏 Before I posted this I made some tests myself. I copied the
Seeing a file that claims it has a private key really scared me as I went to great lengths to make everything safe.
Oh yes, that should have been a dead giveaway. |
Hello,
I have followed the guide to the letter.
gpg -K
outputs:We can see that the main key is a
sec#
meaning there is only a public key and no private key.We can also see that the subkeys are
ssb>
meaning that the private keys have been moved to the card.Just to be 100% sure:
From an excess of caution I have tried running
gpg --armor --export-secret-key arvamircea@gmail.com
and well... It worked. The command outputted a private key, it did not ask me for a password or the card PIN.How is this possible?
Inside the
private-keys-v1.d
directory I have three files corresponding to my 3 subkeys.Inside those files I have:
Key: (shadowed-private-key (rsa (n #00DA etc etc
Why is
gpg --armor --export-secret-key 0x8CCAF633B6859E80
outputting a private key? o.OThe text was updated successfully, but these errors were encountered: