How to properly export and re-import GPG secret key and all its subkeys?

  • I have 2 YubiKeys and want one of them to be a backup. So let's say I generated a key $KEY in my computer with an encryption subkey. I need to export the secret keys, because when moving them to the card they disappear, and then reimport them.

    So I export them with

    gpg2 -a -o secmain.asc --export-secret-key --armor $KEY
    gpg2 -a -o secsub.asc --export-secret-subkeys --armor $KEY

    move them to the card, and then re-import them with:

    gpg2 --import secmain.asc
    gpg2 --import secsub.asc

    I would expect this to work (as this is what was in the tutorial I read), but on the second import GPG tells me that the key was not changed, so I don't have my encryption key back. After searching a bit I found out about the --export-secret-keys option, which I assumed would export main and all sub keys in one package, but on import encryption subkey is still missing.

    How can this be done?


    After further discussions, I tried to generate default keys and those I can correctly import/export. Then I the keys with my preferred settings manually and they also imported well. So it turns out this issue only occurs when I generate a key using this command:

    gpg2 --batch --gen-key <<EOF
    Key-Type: EdDSA
    Key-Curve: ed25519
    Key-Usage: sign
    Subkey-Type: ECC
    Subkey-Curve: Ed25519
    Subkey-Usage: encrypt
    Name-Real: My Name
    Name-Comment: uname
    Name-Email: my@email.tld
    Expire-Date: 0

    What gives? What's wrong here, and if it is, why isn't there a warning?

  • GPG tells me that the key was not changed

    That is because the the secret subkeys should already be imported with the first command. You can verify with gpg --list-packets secmain.asc that the full key was exported.

    The output generated by --export-secret-subkeys is superfluous (and will contain an unusable primary secret key).

    on import encryption subkey is still missing

    Check the output of gpg --list-secret-keys


    What's wrong here

    I would suspect this:

    Subkey-Curve: Ed25519

    ... being combined with this:

    Subkey-Usage: encrypt

    I'm not sure how gpg handles this internally, since there is no way to create an "ed25519" encryption key using interactive mode. If you instead use Subkey-Curve cv25519 the key should export and import without issue.

Log in to reply

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2