Mailing List Archive: Export private key

Export private key

Jan 6, 2021, 6:14 AM

Post #1 of 6 (545 views)

Hello all,

In the past I used to be able to export a private key using the following command:

/usr/bin/gpg --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID" > /opt /tmp/private.key

Something changed in the code and it now prompts me for the key password before it proceeds. I see the value in this, however this is problematic when I'm trying to automate the export to use in an application.

What is the correct way to pass the key password in the command line in order to export the private key without getting the password prompt?

Thanks in advance

Re: Export private key [ In reply to ]

andrewg at andrewg

Jan 6, 2021, 7:47 AM

Post #2 of 6 (545 views)

Permalink

On 06/01/2021 14:14, Dino Edwards via Gnupg-users wrote:
> Hello all,
>
> In the past I used to be able to export a private key using the
> following command:
>
> /usr/bin/gpg --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID" >
> /opt /tmp/private.key
>
> Something changed in the code and it now prompts me for the key password
> before it proceeds. I see the value in this, however this is problematic
> when I?m trying to automate the export to use in an application.
>
> What is the correct way to pass the key password in the command line in
> order to export the private key without getting the password prompt?

You could try:

gpg --passphrase-fd 3 ...more-options... 3<somefile

where somefile is a file containing the passphrase, or a fifo with a
coprocess writing the passphrase to it...

--
Andrew Gallagher

RE: Export private key [ In reply to ]

gnupg-users at gnupg

Jan 6, 2021, 8:12 AM

Post #3 of 6 (545 views)

Permalink

> You could try:

> gpg --passphrase-fd 3 ...more-options... 3<somefile

> where somefile is a file containing the passphrase, or a fifo with a coprocess writing the passphrase to it...

That did not seem to work. But after searching for gpg --passphrase-fd, I found the following command that works:

/usr/bin/gpg --pinentry-mode=loopback --passphrase "SOMEPASSWORD" --homedir /opt/.gnupg/ --export-secret-key -a "SOMEKEYID" > /opt /tmp/private.key

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Export private key [ In reply to ]

kloecker at kde

Jan 6, 2021, 8:15 AM

Post #4 of 6 (545 views)

Permalink

On Mittwoch, 6. Januar 2021 15:14:32 CET Dino Edwards via Gnupg-users wrote:
> What is the correct way to pass the key password in the command line in
> order to export the private key without getting the password prompt?

I think we need to take a step back and look at why you want to export the
private key. Maybe there is a better solution for your use case that doesn't
require the usage of --export-secret-key.

Regards,
Ingo

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Export private key [ In reply to ]

gnupg-users at gnupg

Jan 6, 2021, 9:33 AM

Post #5 of 6 (545 views)

Permalink

On Wed, 6 Jan 2021 14:14, Dino Edwards said:

> Something changed in the code and it now prompts me for the key
> password before it proceeds. I see the value in this, however this is

Yes, since version 2.1.

The reasons is that the internal store for the private key uses a more
modern way of protecting the key. Thus when exporting in the OpenPGP
format we need to re-encrypt and thus need to ask for the passphrase.

As usual since 2.1 you need to pass
--pinentry-mode=loopback
and for example
--passphrase-fd N

so that the gpg-agent (which does the re-encryption) does not pop up a
pinentry but asks back.

If you do not need to convey the private key in OpenPGP format you can
actually do easier: Run gpg as in this example

$ gpg --with-colons --with-keygrip -K USERID_OR_FPR
sec:-:4096:1:CD21A80AC8C52565:1505892159:::q:::scESC:::+:::23::0:
fpr:::::::::B2CCB68383325D61BAC50F9FCD21A80AC8C52565:
grp:::::::::AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345:
uid:-::::1505892159::AE446DD05E9FF3A53C106836A52904256819CBC3::rs[...]
ssb:-:4096:1:9883B66CDCF2F7EA:1505892215::::::e:::+:::23:
fpr:::::::::BE280C5D679B2219748052909883B66CDCF2F7EA:
grp:::::::::C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2:

and grep for the the grp lines (keygrips); for example:

$ [...] | awk -F: '$1=="grp" {print $10}'
AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345
C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2

Then copy the files

~/.gnupg/private-key-v1.d/AEFF9F945E3F569062FAF62D21F1ADFF4D9A0345.key
~/.gnupg/private-key-v1.d/C1B641A6DD92DECA9E1E4FF92AA8B8F1F90BCAE2.key

to the target machine. They are encrypted but better use a secure
channel. You also need to copy the public keys the usual way. Using
this method you may also selectively share a subkey.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

RE: Export private key [ In reply to ]

gnupg-users at gnupg

Jan 6, 2021, 10:10 AM

Post #6 of 6 (545 views)

Permalink

-----Original Message-----
From: Gnupg-users <gnupg-users-bounces@gnupg.org> On Behalf Of Ingo Kl?cker
Sent: Wednesday, January 6, 2021 11:16 AM
To: gnupg-users@gnupg.org
Subject: Re: Export private key

On Mittwoch, 6. Januar 2021 15:14:32 CET Dino Edwards via Gnupg-users wrote:
> What is the correct way to pass the key password in the command line
> in order to export the private key without getting the password prompt?

> I think we need to take a step back and look at why you want to export the private key. Maybe there is a better solution for your use case that doesn't require > > the usage of --export-secret-key.

Hi Ingo,

I believe I got it figured out.

Thanks

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Attached Files:

Attached Files: