How to import secret gpg key (copied from one machine to another)?

  • I'm trying to copy my gpg key from one machine to another.

    I do:

    gpg --export ${ID} > public.key
    gpg --export-secret-key ${ID} > private.key
    

    Move files to new machine, and then:

    gpg --import public.key
    gpg: nyckel [ID]: public key [Name, e-mail] was imported
    gpg: Total number of treated keys: 1
    gpg:                 imported: 1  (RSA: 1)
    
    gpg --allow-secret-key-import private.key
    sec  [?]/[ID] [Creation date] [Name, e-mail]
    ssb  [?]/[SUB-ID] [Creation date]
    

    All looks good to me, but then:

    $ gpg -d [file].gpg
    gpg: encrypted with 4096-bit RSA-key, id [SUB-ID], created [Creation date]
      [Name, e-mail]
    gpg: decryption failed: secret key not accessible
    

    So the error message says that the file has been encrypted with [SUB-ID], which the secret key import appears to say it has imported. (The [SUB-ID] in both messages is the same).

    So I'm clearly doing something wrong, but I don't know what.

  • Celada

    Celada Correct answer

    6 years ago

    You need to add --import to the command line to import the private key. You need not use the --allow-secret-key-import flag. According to the man page: "This is an obsolete option and is not used anywhere."

    gpg --import private.key
    

    Any chance you'd also know why `gpg2 -e -r [ID]` says "There is no assurance this key belongs to the named user"? I wish I had included it in the original question, but I noticed it only later.

    GnuPG maintains a trust database which it uses to decide how much to trust what keys. For example, trust your own keys the most, keys that aren't directly or indirectly signed by any trusted keys the least. After you've just imported to an empty database, probably no keys at all are trusted. This trust database is separate from the database or keys themselves, so importing keys does not make them trusted unless they are signed by some already-trusted key. You have to stell GnuPG which keys you want to trust separately.

    @Celeda, thanks, with --edit-key and and the trust command I managed to get the key trusted. Since my original question was how to copy the key from one machine to another, I think it would be appropriate to add something about that to your answer. I'd prefer not to edit your answer myself, and you seem to know a lot more than me about this.

    I don't feel that I understand the trustdb well enough to talk about it in my answer. I'm glad you were able to work it out using the vague hints I gave in my comment.

    Ok, I've re-titled the original question so it more specifically fits with the answer. That way I can ask a separate question the trustdb. Thanks for the help. :)

    Regarding the owner trust, you can use `gpg2 --export-ownertrust > trustfile.txt` and `gpg2 --import-ownertrust trustfile.txt` to copy your trust settings. To do all in one step from one machine to the other, use `gpg2 --export-ownertrust | ssh [email protected] gpg2 --import-ownertrust`. Pretty cool, I think :-) This also works for the key export/import.

    for making the above work on current MacOS (using zsh) please see this: https://stackoverflow.com/a/27042267/5088194

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM