[SOLVED] how to have gpg secret key in another machine

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

I have a public gpg key that was created in an computer that have been formatted since. Therefore I do not have its secret key in the new system, although I know and control the secret key. And although I have the revoke certificate generated in the creation of the key, I do not have the secret key in the file format produced when you use "gpg --export-secret-key". There must be a way for me to insert somehow the secret key in my new install since I control it in full, but how? I cant find anywhere such an information. Than you all.

NeddySeagoon · Posted: Sat Mar 24, 2018 11:01 am Post subject:

vcmota,

Tell us the format you do have.

If its in a backup file you copy the file back to the correct location.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Thank you NeddySeagoon for your reply. When I created the key in the old install I uploaded the public key to the key servers and generated and saved the revoke certificate in a pen drive. Regarding the secret key I never saved it in any file, but I know it from memory. So this is what I have: 1) public key in the servers and imported into my current gentoo install; 2) revoke certificate in a pen drive; 3) secret key in my memory. If it would be the case I could just write the secret key in a file, but I suspect that won't do it. Is there still a solution? Thank you again.

mike155 · Posted: Sat Mar 24, 2018 1:54 pm Post subject:

NeddySeagoon · Posted: Sat Mar 24, 2018 2:35 pm Post subject:

vcmota,

The secret key and public key are a pair.
The only difference between them is that the secret key is itself encrypted with a password.

Nobody ever looks at the keys themselves and the decrypted secret key is only ever in RAM.
A 4096 bit key is 1024 hex digits long ... is that what you memorised, a string of 1024 hex digits?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

John R. Graham · Posted: Sat Mar 24, 2018 3:08 pm Post subject:

Hu · Moderator Joined: 06 Mar 2007 Posts: 21633

To elaborate on JRG's point, as I understand it, the revocation object is a machine-readable declaration of revocation of the key, signed in a way to prove that the signer held the private key being revoked. It does not contain the private key itself, which is why possessing it does not help with your current problem. Its only use is to notify others of the revocation in a way that cannot be forged by people who lack the private key. If it were not signed, anyone could publish a revocation of your key, and you would have no way to prove to others that you were being truthful and the other person was lying.

John R. Graham · Posted: Sat Mar 24, 2018 4:18 pm Post subject:

100% correct.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Thank you all mike155, NeddySeagoon, John Graham and Hu for your kind replies. And, first of all, I apologize for my profound lack of knowledge about gpg. mike155 and NeddySeagoon are correct: what I have memorized is my passphrase, not the secret key. In my ignorance I though that both were the same. So, as John elaborated I guess I lost the capacity to edit that key, since it has been expired and without the secret key I cant modify it. But if you don't mind helping me a little more, I have a few questions:

1) I based most of what I know about gpg from this tutorial, where it is explained that a good practice in the usage of gpg keys is always holding the revoke certificate in case you lose control of your key, as it is my case now. That would project to others that you may be a trustworthy user of gpg keys. Does that also apply to the expiration? If not, am I still able to revoke the key without controlling the secret key as it is my case now?
2) Is there an indicated procedure to deal with your secret key in order to never lose it? I mean, should I export it to a file just like I did with the revoke certificate just after creating a pair and keep it in some place safe or that is not indicated for security reasons?

Thank you all very much again!

mike155 · Posted: Sat Mar 24, 2018 9:53 pm Post subject:

John R. Graham · Posted: Sat Mar 24, 2018 10:48 pm Post subject:

mike155 · Posted: Sat Mar 24, 2018 10:56 pm Post subject:

John R. Graham · Posted: Sun Mar 25, 2018 12:07 am Post subject:

I stand corrected. Still, you have to go out of your way to do that. Normally exported keys are approximately as secure as the key ring itself.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

But let me ask: either the private key or the passphrase are stored unencrypted in the ~/.gnupg directory?

mike155 · Posted: Sun Mar 25, 2018 12:35 am Post subject:

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Thank you all very much, I learned a lot. I am marking the thread as SOLVED. By the way, I successfully revoked the key, the secret key is not necessary for that, the only thing you need is the revoke certificate. Thank you all again!