Export private key

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Export private key

GnuPG - User mailing list

Hello all,

 

 

In the past I used to be able to export a private key using the following command:

 

/usr/bin/gpg --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID" > /opt /tmp/private.key

 

Something changed in the code and it now prompts me for the key password before it proceeds. I see the value in this, however this is problematic when I’m trying to automate the export to use in an application.

 

What is the correct way to pass the key password in the command line in order to export the private key without getting the password prompt?

 

Thanks in advance

 

 


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Export private key

Andrew Gallagher
On 06/01/2021 14:14, Dino Edwards via Gnupg-users wrote:

> Hello all,
>
> In the past I used to be able to export a private key using the
> following command:
>
> /usr/bin/gpg --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID" >
> /opt /tmp/private.key
>
> Something changed in the code and it now prompts me for the key password
> before it proceeds. I see the value in this, however this is problematic
> when I’m trying to automate the export to use in an application.
>
> What is the correct way to pass the key password in the command line in
> order to export the private key without getting the password prompt?
You could try:

     gpg --passphrase-fd 3 ...more-options... 3<somefile

where somefile is a file containing the passphrase, or a fifo with a
coprocess writing the passphrase to it...

--
Andrew Gallagher


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP_signature (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Export private key

GnuPG - User mailing list
> You could try:

>    gpg --passphrase-fd 3 ...more-options... 3<somefile

> where somefile is a file containing the passphrase, or a fifo with a coprocess writing the passphrase to it...

That did not seem to work. But after searching for gpg --passphrase-fd, I found the following command that works:

/usr/bin/gpg --pinentry-mode=loopback --passphrase "SOMEPASSWORD" --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID"  >  /opt /tmp/private.key



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Export private key

Ingo Klöcker
In reply to this post by GnuPG - User mailing list
On Mittwoch, 6. Januar 2021 15:14:32 CET Dino Edwards via Gnupg-users wrote:
> What is the correct way to pass the key password in the command line in
> order to export the private key without getting the password prompt?

I think we need to take a step back and look at why you want to export the
private key. Maybe there is a better solution for your use case that doesn't
require the usage of --export-secret-key.

Regards,
Ingo




_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Export private key

GnuPG - User mailing list
In reply to this post by GnuPG - User mailing list
On Wed,  6 Jan 2021 14:14, Dino Edwards said:

> Something changed in the code and it now prompts me for the key
> password before it proceeds. I see the value in this, however this is

Yes, since version 2.1.

The reasons is that the internal store for the private key uses a more
modern way of protecting the key.  Thus when exporting in the OpenPGP
format we need to re-encrypt and thus need to ask for the passphrase.

As usual since 2.1 you need to pass
  --pinentry-mode=loopback
and for example
  --passphrase-fd N

so that the gpg-agent (which does the re-encryption) does not pop up a
pinentry but asks back.

If you do not need to convey the private key in OpenPGP format you can
actually do easier:  Run gpg as in this example

  $ gpg --with-colons --with-keygrip -K USERID_OR_FPR
  sec:-:4096:1:CD21A80AC8C52565:1505892159:::q:::scESC:::+:::23::0:
  fpr:::::::::B2CCB68383325D61BAC50F9FCD21A80AC8C52565:
  grp:::::::::AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345:
  uid:-::::1505892159::AE446DD05E9FF3A53C106836A52904256819CBC3::rs[...]
  ssb:-:4096:1:9883B66CDCF2F7EA:1505892215::::::e:::+:::23:
  fpr:::::::::BE280C5D679B2219748052909883B66CDCF2F7EA:
  grp:::::::::C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2:

and grep for the the grp lines (keygrips); for example:

  $ [...] |  awk -F: '$1=="grp" {print $10}'
  AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345
  C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2

Then copy the files

  ~/.gnupg/private-key-v1.d/AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345.key
  ~/.gnupg/private-key-v1.d/C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2.key

to the target machine.  They are encrypted but better use a secure
channel.  You also need to copy the public keys the usual way.  Using
this method you may also selectively share a subkey.


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Export private key

GnuPG - User mailing list
In reply to this post by Ingo Klöcker

-----Original Message-----
From: Gnupg-users <[hidden email]> On Behalf Of Ingo Klöcker
Sent: Wednesday, January 6, 2021 11:16 AM
To: [hidden email]
Subject: Re: Export private key

On Mittwoch, 6. Januar 2021 15:14:32 CET Dino Edwards via Gnupg-users wrote:
> What is the correct way to pass the key password in the command line
> in order to export the private key without getting the password prompt?

> I think we need to take a step back and look at why you want to export the private key. Maybe there is a better solution for your use case that doesn't require > > the usage of --export-secret-key.

Hi Ingo,

I believe I got it figured out.

Thanks





_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users