Windows – Export gpg to p12 under windows

encryptiongnupgwindows

I'm using gpg4win and I'm trying to export my gpg private key to a p12 format (to import it in Lotus Notes). According to my understanding I need to:

gpgsm.exe -o "XXXXXXXX_private.p12" --export-secret-key-p12 0xXXXXXXXX

However, I'm getting the following error : "No secret Key"
Actually, gpgsm -K does not return anything at all (where gpg -K works).

What am I missing ?

Best Answer

I think you are using the wrong program; pgpsm is used to sign, check, encrypt or decrypt using the S/MIME protocol.

I do not have pgp4win at hand, but according to the man page, this should export your public and secret key:

gpg -o XXXXXXX_private.p12 --export [key id] --export-format pkcs12 --cert

The info on pkcs12 is the following,

pkcs12 Only binary blocks are output; the default file extension is .p12; a signed key must be paired; and input must match exactly one key. In this case, --cert is required.

so I included the --cert option, without reflection about that option:

--cert This option is the X.509 issuer long name or the 32-bit or 64-bit key ID, if the signing key is available.

I did some more tests (now with gpg4win), and partially have to contradict myself. The gpgsm tool in gpg4win describes itself as

gpgsm is a tool similar to gpg to provide digital encryption and sign- ing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing.

which indeed sounds correct.

So, your command posted in the question seems totally sensible, I only have two more clues:

You can try to use a ASCII armored output via the -a option
And there is an option concerning the charset of the exported key, which often is a problem with (especially older) windows programs:

--p12-charset name gpgsm uses the UTF-8 encoding when encoding passphrases for PKCS#12 files. This option may be used to force the passphrase to be encoded in the specified encoding name. This is useful if the application used to import the key uses a different encoding and thus will not be able to import a file generated by gpgsm. Commonly used values for name are Latin1 and CP850. Note that gpgsm itself automagically imports any file with a passphrase encoded to the most commonly used encodings.

Related Solutions

New .gnupg directory: Import old secret keys into new install

First of all, you're doing a kind of "no-op". gpg is still GnuPG 1.4.20 on Ubuntu 16.04, while gpg2 made a jump from GnuPG 2.0.28 to 2.1.11. Then, while GnuPG 2.1 made some changes to the file formats (new keystore format "keybox"/.kbx and merging the secret keyring into the public one), it is still compatible and will do the secret keyring merging upon first invocation of gpg2. The keyring format stays the old one unless you manually convert it. The old format is fully supported, the new format just offers performance improvements. The proposed migration path to the new keybox format is converting within the old GnuPG directory rather than moving to a completely new one:

To convert an existing pubring.gpg file to the keybox format, you first backup the ownertrust values, then rename the file to (for example) publickeys, so it won’t be recognized by any GnuPG version, then run import, and finally restore the ownertrust values:
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys
$ gpg2 --import-options import-local-sigs --import publickeys
$ gpg2 --import-ownertrust otrust.lst
You may then rename the publickeys file back so that it can be used by older GnuPG versions. Remember that in this case you have two independent copies of the public keys. The ownertrust values are kept by all gpg versions in the file trustdb.gpg but the above precautions need to be taken to keep them over an import.

Considering the error message you posted, it seems that some permissions on either the new ~/.gnupg home directory or secret keyring ~/.gnupg/secring.gpg are insufficient for creating the key. This often happens if GnuPG was invoked from the root user by accident.

The message from --list-keys is not a normal output, but seems to be an error message. To print an arbitrary keyring, use the --no-default-keyring and --secret-keyring options and the --list-secret-keys commdn (and generally always have options precede commands for GnuPG):

gpg --no-default-keyring --secret-keyring=secring.gpg --list-secret-keys

Linux – Can’t import key with gpg on arch linux

You can manually import your key.Go to https://pgp.mit.edu/ and make a search with the following string: 0x00411886 , clic on the first link , then copy the content of the Public Key Server web page to your favorite text editor . Save it as linux-vfio.asc

Finally run : gpg --import linux-vfio.asc to import the key.

Best Answer

Related Solutions

New .gnupg directory: Import old secret keys into new install

Linux – Can’t import key with gpg on arch linux

Related Question