I've reinstalled my OS (Ubuntu 16.04) and have an old .gnupg directory containing:
gpg-agent.conf
gpg-agent-info-<hostname>
gpg.conf
private-keys-v1.d
pubring.gpg
secring.gpg
S.gpg-agent
trustdb.gpg
I'd like to import my old public & private keys into the new gnupg. (I didn't simply copy the .gnupg directory into the new install, because I understand that the new gnupg2 has some differences in database format that are a part of the new EC encryption options.)
The following worked for the public keys but failed for the secret keys:
gpg --export --keyring=~/.gnupg.old/pubring.gpg | gpg --import
gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg | gpg --import
The latter responded with:
gpg: can't open `~/.gnupg/secring.gpg' <== New Secret Keyring
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Notice that it's failing to open my new secret ring. It gives the same error trying to export to a file:
gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg > secret.asc
gpg: can't open `~/.gnupg/secring.gpg' <== New Secret Keyring
gpg: WARNING: nothing exported
Since my secret key has the private part of the master key stripped, I also tried the same, with --export-secret-subkeys
, but the response was the same. Putting my key ID (email address) after the export also doesn't work. I can, on the other hand, list the keys:
gpg --list-keys --keyring=~/.gnupg.old/secring.gpg
gpg: Oops; key lost!
node 0x1e7ee00 01/00 type=secret-key
node 0x1e9cbd0 00/00 type=user-id "Me <Me@home.com>" ....
node 0x1e99dd0 00/00 type=signature class=13 keyid=XXXXXXXX ts=1383637282
node 0x1e9c510 00/00 type=secret-subkey
node 0x1eaa210 00/00 type=signature class=18 keyid=XXXXXXXX ts=1449138073
node 0x1eaf1f0 00/00 type=secret-subkey
node 0x1eaf580 00/00 type=signature class=18 keyid=XXXXXXXX ts=138363647
(I'm assuming "Key lost" refers to the stripped secret master key.) Can anyone direct me how to solve this?
With the help of @Jens (below), the following works:
gpg --no-default-keyring --secret-keyring=~/.gnupg.old/secring.gpg --export-secret-keys | gpg --import
Best Answer
First of all, you're doing a kind of "no-op".
gpg
is still GnuPG 1.4.20 on Ubuntu 16.04, whilegpg2
made a jump from GnuPG 2.0.28 to 2.1.11. Then, while GnuPG 2.1 made some changes to the file formats (new keystore format "keybox"/.kbx
and merging the secret keyring into the public one), it is still compatible and will do the secret keyring merging upon first invocation ofgpg2
. The keyring format stays the old one unless you manually convert it. The old format is fully supported, the new format just offers performance improvements. The proposed migration path to the new keybox format is converting within the old GnuPG directory rather than moving to a completely new one:Considering the error message you posted, it seems that some permissions on either the new
~/.gnupg
home directory or secret keyring~/.gnupg/secring.gpg
are insufficient for creating the key. This often happens if GnuPG was invoked from the root user by accident.The message from
--list-keys
is not a normal output, but seems to be an error message. To print an arbitrary keyring, use the--no-default-keyring
and--secret-keyring
options and the--list-secret-keys
commdn (and generally always have options precede commands for GnuPG):