# [SOLVED] how to have gpg secret key in another machine

## vcmota

I have a public gpg key that was created in an computer that have been formatted since. Therefore I do not have its secret key in the new system, although I know and control the secret key. And although I have the revoke certificate generated in the creation of the key, I do not have the secret key in the file format produced when you use "gpg --export-secret-key". There must be a way for me to insert somehow the secret key in my new install since I control it in full, but how? I cant find anywhere such an information. Than you all.Last edited by vcmota on Sun Mar 25, 2018 12:40 am; edited 1 time in total

----------

## NeddySeagoon

vcmota,

Tell us the format you do have.

If its in a backup file you copy the file back to the correct location.

----------

## vcmota

Thank you NeddySeagoon for your reply. When I created the key in the old install I uploaded the public key to the key servers and generated and saved the revoke certificate in a pen drive. Regarding the secret key I never saved it in any file, but I know it from memory. So this is what I have: 1) public key in the servers and imported into my current gentoo install; 2) revoke certificate in a pen drive; 3) secret key in my memory. If it would be the case I could just write the secret key in a file, but I suspect that won't do it. Is there still a solution? Thank you again.

----------

## mike155

 *Quote:*   

> 3) secret key in my memory
> 
> 

 

vmcota,

a secret key looks like:

```
-----BEGIN PGP PRIVATE KEY BLOCK-----

TG8YBFm2VmABDADV3oOm1+SHgQDQolBavwmt0b6tk7p1f79DRwCeoRpk2p0GZRLm

xK74aXLOv2lERsKV71JUkM3se/WsjQFKw9LV7SmCvUTWQd1wjY8mQQf2b4aS71RI

.... more lines ....

UpCN371KG71UjucvHXU/UCy7DwpQnScYQAJEtW+Vdpuh2QNpyoDU4T7GXaJIpiJG

7aOMLUsk1dGcxtxG

=7gRt

-----END PGP PRIVATE KEY BLOCK-----
```

Do you really remember this in your memory? Or are you talking about the passphrase you used do encrypt the secret key?

----------

## NeddySeagoon

vcmota,

The secret key and public key are a pair.

The only difference between them is that the secret key is itself encrypted with a password.

Nobody ever looks at the keys themselves and the decrypted secret key is only ever in RAM.

A 4096 bit key is 1024 hex digits long ... is that what you memorised, a string of 1024 hex digits?

----------

## John R. Graham

 *NeddySeagoon wrote:*   

> The only difference between them is that the secret key is itself encrypted with a password.

 Well, not the only difference. They are indeed a (cryptographically related) pair but they don't contain all the same information, the private key being a superset of what the public key contains. The additional information in the private key is encrypted as you've noted. Alas,Having the public key is no help whatsoever in recovering the private key.

Having the private key passphrase is no help whatsoever in recovering the private key unless you also have that encrypted blob, which is practically unmemorizable, as you and mike155 have noted.vcmota, unless you have that output from "gpg --export-secret-keys", you're toast.

- John

----------

## Hu

To elaborate on JRG's point, as I understand it, the revocation object is a machine-readable declaration of revocation of the key, signed in a way to prove that the signer held the private key being revoked.  It does not contain the private key itself, which is why possessing it does not help with your current problem.  Its only use is to notify others of the revocation in a way that cannot be forged by people who lack the private key.  If it were not signed, anyone could publish a revocation of your key, and you would have no way to prove to others that you were being truthful and the other person was lying.

----------

## John R. Graham

100% correct.

- John

----------

## vcmota

Thank you all mike155, NeddySeagoon, John Graham and Hu for your kind replies. And, first of all, I apologize for my profound lack of knowledge about gpg. mike155 and NeddySeagoon are correct: what I have memorized is my passphrase, not the secret key. In my ignorance I though that both were the same. So, as John elaborated I guess I lost the capacity to edit that key, since it has been expired and without the secret key I cant modify it. But if you don't mind helping me a little more, I have a few questions:

1) I based most of what I know about gpg from this tutorial, where it is explained that a good practice in the usage of gpg keys is always holding the revoke certificate in case you lose control of your key, as it is my case now. That would project to others that you may be a trustworthy user of gpg keys. Does that also apply to the expiration? If not, am I still able to revoke the key without controlling the secret key as it is my case now?

2) Is there an indicated procedure to deal with your secret key in order to never lose it? I mean, should I export it to a file just like I did with the revoke certificate just after creating a pair and keep it in some place safe or that is not indicated for security reasons?

Thank you all very much again!

----------

## mike155

 *vcmota wrote:*   

> 2) Is there an indicated procedure to deal with your secret key in order to never lose it? I mean, should I export it to a file just like I did with the revoke certificate just after creating a pair and keep it in some place safe or that is not indicated for security reasons?
> 
> 

 

GnuPG stores public and private keys in the subdirectory '~/.gnupg'. Make backups of this directory. That's all. 

I guess most people don't backup '~/.gnupg' exclusively, but they make backups of their home directory or even of '/home'. That's how I do it.

DO NOT export your private key(s). There is no need to and it's dangerous, especially if the exported key is unencrypted. As NeddySeagoon wrote above: your secret key should always be encrypted if it is stored on disk or in a backup.

----------

## John R. Graham

 *mike155 wrote:*   

> DO NOT export your private key(s). There is no need to and it's dangerous, especially if the exported key is unencrypted.

 As far as I know, GnuPG doesn't even support cleartext export. The main danger of moving keys around (whether by exporting or by copying the key ring) is that the user's key passphrase is so much weaker than the private key itself. You never want to share these keys except to another machine you own. It's particularly dangerous to send them via email, not because they're in the clear but because they're crackable with enough effort.

- John

----------

## mike155

 *John R. Graham wrote:*   

> As far as I know, GnuPG doesn't even support cleartext export.

 

GnuPG supports cleartext export, look here.

----------

## John R. Graham

I stand corrected. Still, you have to go out of your way to do that. Normally exported keys are approximately as secure as the key ring itself.

- John

----------

## vcmota

But let me ask: either the private key or the passphrase are stored unencrypted in the ~/.gnupg directory?

----------

## mike155

 *Quote:*   

> But let me ask: either the private key or the passphrase are stored unencrypted in the ~/.gnupg directory?

 

No! The passphrase isn't stored in ~/.gnupg. Your secret key is stored encrypted in ~/.gnupg.

Let's look at an example: If you want to decipher an encrypted email you received, PGP needs your unencrypted secret key. PGP reads your encrypted key from ~/.gnupg and asks you for your passphrase, because your passphrase isn't stored anywhere. After you entered your passphrase, PGP unencrypts your encrypted secret key and deciphers the email using the unencrypted secret key. The unencrypted secret key is stored in memory only and PGP will delete it as soon as possible.Last edited by mike155 on Sun Mar 25, 2018 12:41 am; edited 1 time in total

----------

## vcmota

Thank you all very much, I learned a lot. I am marking the thread as SOLVED. By the way, I successfully revoked the key, the secret key is not necessary for that, the only thing you need is the revoke certificate. Thank you all again!

----------

