New .gnupg directory: Import old secret keys into new install

exportgnupgimport

I've reinstalled my OS (Ubuntu 16.04) and have an old .gnupg directory containing:

gpg-agent.conf  
gpg-agent-info-<hostname> 
gpg.conf  
private-keys-v1.d  
pubring.gpg  
secring.gpg  
S.gpg-agent  
trustdb.gpg

I'd like to import my old public & private keys into the new gnupg. (I didn't simply copy the .gnupg directory into the new install, because I understand that the new gnupg2 has some differences in database format that are a part of the new EC encryption options.)

The following worked for the public keys but failed for the secret keys:

gpg --export --keyring=~/.gnupg.old/pubring.gpg | gpg --import
gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg | gpg --import

The latter responded with:

gpg: can't open `~/.gnupg/secring.gpg'  <== New Secret Keyring
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Notice that it's failing to open my new secret ring. It gives the same error trying to export to a file:

gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg > secret.asc

gpg: can't open `~/.gnupg/secring.gpg'  <== New Secret Keyring
gpg: WARNING: nothing exported

Since my secret key has the private part of the master key stripped, I also tried the same, with --export-secret-subkeys, but the response was the same. Putting my key ID (email address) after the export also doesn't work. I can, on the other hand, list the keys:

gpg --list-keys --keyring=~/.gnupg.old/secring.gpg

gpg: Oops; key lost!
node 0x1e7ee00 01/00 type=secret-key
node 0x1e9cbd0 00/00 type=user-id  "Me <Me@home.com>" ....
node 0x1e99dd0 00/00 type=signature  class=13 keyid=XXXXXXXX ts=1383637282
node 0x1e9c510 00/00 type=secret-subkey
node 0x1eaa210 00/00 type=signature  class=18 keyid=XXXXXXXX ts=1449138073
node 0x1eaf1f0 00/00 type=secret-subkey
node 0x1eaf580 00/00 type=signature  class=18 keyid=XXXXXXXX ts=138363647

(I'm assuming "Key lost" refers to the stripped secret master key.) Can anyone direct me how to solve this?

With the help of @Jens (below), the following works:

gpg --no-default-keyring --secret-keyring=~/.gnupg.old/secring.gpg --export-secret-keys | gpg --import

Best Answer

First of all, you're doing a kind of "no-op". gpg is still GnuPG 1.4.20 on Ubuntu 16.04, while gpg2 made a jump from GnuPG 2.0.28 to 2.1.11. Then, while GnuPG 2.1 made some changes to the file formats (new keystore format "keybox"/.kbx and merging the secret keyring into the public one), it is still compatible and will do the secret keyring merging upon first invocation of gpg2. The keyring format stays the old one unless you manually convert it. The old format is fully supported, the new format just offers performance improvements. The proposed migration path to the new keybox format is converting within the old GnuPG directory rather than moving to a completely new one:

To convert an existing pubring.gpg file to the keybox format, you first backup the ownertrust values, then rename the file to (for example) publickeys, so it won’t be recognized by any GnuPG version, then run import, and finally restore the ownertrust values:
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys
$ gpg2 --import-options import-local-sigs --import publickeys
$ gpg2 --import-ownertrust otrust.lst
You may then rename the publickeys file back so that it can be used by older GnuPG versions. Remember that in this case you have two independent copies of the public keys. The ownertrust values are kept by all gpg versions in the file trustdb.gpg but the above precautions need to be taken to keep them over an import.

Considering the error message you posted, it seems that some permissions on either the new ~/.gnupg home directory or secret keyring ~/.gnupg/secring.gpg are insufficient for creating the key. This often happens if GnuPG was invoked from the root user by accident.

The message from --list-keys is not a normal output, but seems to be an error message. To print an arbitrary keyring, use the --no-default-keyring and --secret-keyring options and the --list-secret-keys commdn (and generally always have options precede commands for GnuPG):

gpg --no-default-keyring --secret-keyring=secring.gpg --list-secret-keys

Related Solutions

Do PGP private key blocks “contain” the public key as well

Yes, the OpenPGP "secret key" and "secret subkey" packets contain both public and private parameters. You can verify this by using pgpdump to examine the exported key:

$ gpg --export-secret-key grawity | pgpdump
Old: Secret Key Packet(tag 5)(1854 bytes)
    Ver 4 - new
    Public key creation time - Sat Oct 31 14:54:03 EET 2009
    Pub alg - RSA Encrypt or Sign(pub 1)
    RSA n(4096 bits) - ...
    RSA e(17 bits) - ...
    Sym alg - CAST5(sym 3)
    Iterated and salted string-to-key(s2k 3):
        Hash alg - SHA1(hash 2)
        Salt - 12 24 0f e1 5b 7e e2 46 
        Count - 65536(coded count 96)
    IV - 91 a3 44 71 47 87 a4 ba 
    Encrypted RSA d
    Encrypted RSA p
    Encrypted RSA q
    Encrypted RSA u
    Encrypted SHA1 hash

This is true for most asymmetric key systems, not just OpenPGP.

Windows – Export gpg to p12 under windows

I think you are using the wrong program; pgpsm is used to sign, check, encrypt or decrypt using the S/MIME protocol.

I do not have pgp4win at hand, but according to the man page, this should export your public and secret key:

gpg -o XXXXXXX_private.p12 --export [key id] --export-format pkcs12 --cert

The info on pkcs12 is the following,

pkcs12 Only binary blocks are output; the default file extension is .p12; a signed key must be paired; and input must match exactly one key. In this case, --cert is required.

so I included the --cert option, without reflection about that option:

--cert This option is the X.509 issuer long name or the 32-bit or 64-bit key ID, if the signing key is available.

I did some more tests (now with gpg4win), and partially have to contradict myself. The gpgsm tool in gpg4win describes itself as

gpgsm is a tool similar to gpg to provide digital encryption and sign- ing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing.

which indeed sounds correct.

So, your command posted in the question seems totally sensible, I only have two more clues:

You can try to use a ASCII armored output via the -a option
And there is an option concerning the charset of the exported key, which often is a problem with (especially older) windows programs:

--p12-charset name gpgsm uses the UTF-8 encoding when encoding passphrases for PKCS#12 files. This option may be used to force the passphrase to be encoded in the specified encoding name. This is useful if the application used to import the key uses a different encoding and thus will not be able to import a file generated by gpgsm. Commonly used values for name are Latin1 and CP850. Note that gpgsm itself automagically imports any file with a passphrase encoded to the most commonly used encodings.

Best Answer

Related Solutions

Do PGP private key blocks “contain” the public key as well

Windows – Export gpg to p12 under windows

Related Question