Thanks for the reply. At least I know where things stand now, which is not a good place :-( I guess this is another *fine* example of the principle that an insufficiently tested DR arrangement, will always break down when you need it.
I'm still puzzled about this partial export, however. I'm quite sure that I made it using something like this: $ gpg2 -a --export-secret-keys [identifier] > private_key.asc Now the question as to what I used as identifier, I'm not sure. The most likely option is that I used the email address used to create the key and maybe a key identifier. I definitely have no recollection of using the exclamation mark '!' you mention. Could this be linked to using an earlier version of gpg? Or could it simply be a bug? The installation is running on a Synology, using GnuPG included in the SynoCommunity package (https://synocommunity.com/package/gnupg). Anyway, this looks like water under the bridge. Thanks for your help. -Guy On Mon, Dec 26, 2016 at 10:21 PM, Damien Goutte-Gattat < dgouttegat...@incenp.org> wrote: > On 12/26/2016 06:52 PM, Guy Wyers wrote: > >> - Can I somehow recover from this? I guess that, at least theoretically, >> the public should be "derivable" from the private key? >> > > The problem here is not that you are missing the public key (the public > key *is* derivable from the private key, and GnuPG would automatically > extract the public key upon importing the private key). > > The problem is that you are missing the secret *primary* key to which this > secret subkey should be attached. > > If you do not have a backup of that primary key, I am not sure you will be > able to recover. > > At least with GnuPG 2.1, it should be possible to re-attach the subkey to > a new primary key (because GnuPG 2.1 allows to "create" a key from a > pre-existing key if you know its keygrip), *but* the newly re-attached key > would still have a different key creation time and thus a different key > ID... meaning that it could not be used to decrypt messages encrypted to > the original key. > > > - How did I end up with this truncated export? As far as I remember -even >> if it was long long time ago- I followed the standard instructions for >> "storing my private key in a safe place".M >> > > As far as I know, the only way to export a subkey only is to explicitly > specify that subkey by its key ID with an appended '!', as in the following > example: > > $ gpg2 --output backup.gpg --export-secret-keys '0xDECAFBAD!' > > Otherwise, GnuPG will always export the primary key and all its subkeys. > > What are those "standard instructions" you are referring to? If you were > instructed to backup only your secret subkey instead of your entire private > keyring, I am afraid you have been badly misled. > >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
