New .gnupg directory: Import old secret keys into new install
I've reinstalled my OS (Ubuntu 16.04) and have an old .gnupg directory containing:
gpg-agent.conf
gpg-agent-info-<hostname>
gpg.conf
private-keys-v1.d
pubring.gpg
secring.gpg
S.gpg-agent
trustdb.gpg
I'd like to import my old public & private keys into the new gnupg. (I didn't simply copy the .gnupg directory into the new install, because I understand that the new gnupg2 has some differences in database format that are a part of the new EC encryption options.)
The following worked for the public keys but failed for the secret keys:
gpg --export --keyring=~/.gnupg.old/pubring.gpg | gpg --import
gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg | gpg --import
The latter responded with:
gpg: can't open `~/.gnupg/secring.gpg' <== New Secret Keyring
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Notice that it's failing to open my new secret ring. It gives the same error trying to export to a file:
gpg --export-secret-keys --keyring=~/.gnupg.old/secring.gpg > secret.asc
gpg: can't open `~/.gnupg/secring.gpg' <== New Secret Keyring
gpg: WARNING: nothing exported
Since my secret key has the private part of the master key stripped, I also tried the same, with --export-secret-subkeys
, but the response was the same. Putting my key ID (email address) after the export also doesn't work. I can, on the other hand, list the keys:
gpg --list-keys --keyring=~/.gnupg.old/secring.gpg
gpg: Oops; key lost!
node 0x1e7ee00 01/00 type=secret-key
node 0x1e9cbd0 00/00 type=user-id "Me <[email protected]>" ....
node 0x1e99dd0 00/00 type=signature class=13 keyid=XXXXXXXX ts=1383637282
node 0x1e9c510 00/00 type=secret-subkey
node 0x1eaa210 00/00 type=signature class=18 keyid=XXXXXXXX ts=1449138073
node 0x1eaf1f0 00/00 type=secret-subkey
node 0x1eaf580 00/00 type=signature class=18 keyid=XXXXXXXX ts=138363647
(I'm assuming "Key lost" refers to the stripped secret master key.) Can anyone direct me how to solve this?
With the help of @Jens (below), the following works:
gpg --no-default-keyring --secret-keyring=~/.gnupg.old/secring.gpg --export-secret-keys | gpg --import
First of all, you're doing a kind of "no-op". gpg
is still GnuPG 1.4.20 on Ubuntu 16.04, while gpg2
made a jump from GnuPG 2.0.28 to 2.1.11. Then, while GnuPG 2.1 made some changes to the file formats (new keystore format "keybox"/.kbx
and merging the secret keyring into the public one), it is still compatible and will do the secret keyring merging upon first invocation of gpg2
. The keyring format stays the old one unless you manually convert it. The old format is fully supported, the new format just offers performance improvements. The proposed migration path to the new keybox format is converting within the old GnuPG directory rather than moving to a completely new one:
To convert an existing pubring.gpg file to the keybox format, you first backup the ownertrust values, then rename the file to (for example) publickeys, so it won’t be recognized by any GnuPG version, then run import, and finally restore the ownertrust values:
$ cd ~/.gnupg $ gpg --export-ownertrust >otrust.lst $ mv pubring.gpg publickeys $ gpg2 --import-options import-local-sigs --import publickeys $ gpg2 --import-ownertrust otrust.lst
You may then rename the publickeys file back so that it can be used by older GnuPG versions. Remember that in this case you have two independent copies of the public keys. The ownertrust values are kept by all gpg versions in the file trustdb.gpg but the above precautions need to be taken to keep them over an import.
Considering the error message you posted, it seems that some permissions on either the new ~/.gnupg
home directory or secret keyring ~/.gnupg/secring.gpg
are insufficient for creating the key. This often happens if GnuPG was invoked from the root user by accident.
The message from --list-keys
is not a normal output, but seems to be an error message. To print an arbitrary keyring, use the --no-default-keyring
and --secret-keyring
options and the --list-secret-keys
commdn (and generally always have options precede commands for GnuPG):
gpg --no-default-keyring --secret-keyring=secring.gpg --list-secret-keys