-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On -10/01/37 20:59, Aaron Whitehouse wrote: > How do I import a subkey into an existing secret key?
I managed to do this with gpgsplit and recombining. I'm doing this under Linux; commands for other OSes might differ. Please read the whole mail before starting. On one machine, I have a key with 2 encryption subkeys, let's say A and B. I then use these commands: $ mkdir key1 $ cd key1 $ gpg --export-secret-keys <your keyid> | gpgsplit Here, the $ sign simply indicates I type it at the prompt, a common convention. Don't actually include the $. Replace <your keyid> with your... keyid, indeed :). If I now do a listing of the files in this directory, I see the following: $ ls 000001-005.secret_key 000002-013.user_id 000003-002.sig 000004-007.secret_subkey 000005-002.sig 000006-007.secret_subkey 000007-002.sig (sorry for the layout) These files are the parts that together make up your whole key. Filenames are a sequence number (increasing), and after the dash the packet type. The packet type in human readable form is after the dot. An explanation: 000001-005.secret_key The primary key. 000002-013.user_id The user id. 000003-002.sig The signature binding user id and specifying preferences. 000004-007.secret_subkey The first secret subkey, encryption key A. 000005-002.sig Signature binding A to the primary key. 000006-007.secret_subkey The second secret subkey, encryption key B. 000007-002.sig Signature binding B to the primary key. You can het more information on these packets with, f.e.: $ cat * | gpg --list-packets This will list details about the packets, /in the same order/ as the files. Just count. Now, on the second machine I have the same key, only unfortunately it has encryption subkeys A and C. That is, on the first machine I miss key C and on the second machine I miss key B. I start out the same on the second machine: $ mkdir key2 $ cd key2 $ gpg --export-secret-keys <your keyid> | gpgsplit The files created will in this case actually have exactly the same names as described above. The big difference is the contents of the last two files: 000006-007.secret_subkey Encryption subkey /C/ 000007-002.sig Signature binding /C/ to the primary key. Unfortunately, gpg --list-packets does not list the key id's for key packets. But it does list creation date (in UNIX time format) and expiration date. You can use these numbers to match up which keys you want to combine. No need to understand UNIX time format, just match up numbers so that you end up with all unique subkeys together. You can always throw out unneeded ones later using GnuPG. Now we want to have subkey C on the first machine. Assuming you've copied the directory key2 and its contents to the first machine, you can do this: $ cp key2/000006-007.secret_subkey key1/000008-007.secret_subkey $ cp key2/000007-002.sig key1/000009-002.sig Actually, the names are not very important, as long as they are in the same sorting order as here. I chose to continue the naming GnuPG itself uses. Now directory key1 has the full key: primary key, and subkeys A, B and C. These can be combined to form the full key: $ cd key1 $ cat * >secret_key.gpg The difficulty you initially ran into is that GnuPG will not import a key it already has in the keyring, even if the subkeys are different. So after making a backup of everything, you delete the key already in the keyring. I suggest making the backup before even starting all this, to avoid disasters if you got something wrong. So on both machines, we do: $ gpg --delete-secret-and-public-keys <your keyid> $ gpg --import secret_key.gpg The file secret_key.gpg is what we created in the previous step. You should now have the full key on both systems. I hope /I/ didn't do something wrong here, but the backup you made saves you from disasters in that case. Note 1: If this is too cryptic, you should not just type in what I say. You need to understand commands you enter at the prompt, not blindly type in what some stranger on the internet says. Just ask for more info. Note 2: I strongly suggest setting the passphrase the same on the two systems, or you'll run into funny behaviour when it prompts for the passphrase of your new combined key. You might even want to "change" the passphrase after the import of the whole key, but change it to the same passphrase you already had. I won't go into the details, but this will make the key consistent with how GnuPG normally stores encrypted keys. I don't think GnuPG was ever meant to support the interesting combining of encrypted keys we do here, even though it works. On a sidenote, I think it would be cool if GnuPG, on --import, inspected all subkeys and user id's in a key individually, and add any that are missing. I think such functionality is useful and intuitive. Perhaps I should create a feature request ticket. Good luck, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMWp+sAAoJEJaeAY/ebNyhG24IAIIQ4qa9usTBN76dMPKzoR3x tXXamXRsgr+Ny6szflybheScmw0gCoqulYq8KKDu6xrYlkHuBUPMMQgXitGRvNYL YRLxTzv7QlCATwxK9VW3uyx+vCShysNFzoUlTOw1fHzn9IB0IxOzqQQKzm28ry5q 2MvsTdf2inscrEOhA6yOAQ4qCY+nzz5Yfowr8NQLBk0NVVKbxH6f077j/YqCgNyV K9Ekq+GvdL7DEQZuV8LmcykfOp6Vq9KdWMFoXPuBdvogiajR6TAnUysVAXZcO3TI hc2Kn6UiEbzZZWLAToXyrgoS/mJ10IkPnXSNH9VIiDqpqI3EL2rhY3dHLw5+98k= =kWgk -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
