On 08/17/2017 03:39 PM, Dirk-Willem van Gulik wrote:
This had me believe that export-secret-subkeys would just export a subkey.Instead the output of --list-packets (and the file size) suggests that both the master and the subkey are exported.
Seemingly, yes. But actually, when using --export-secret-subkeys, the master private key is not really exported. The command does produce a "secret key packet" corresponding to the master key, but this packet does not actually contain the private key material.
Look for the "gnu-dummy S2K" line in the details of the secret key packet:
:secret key packet:
version 4, algo 1, created 1502976628, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
gnu-dummy S2K, algo: 0, simple checksum, hash: 0
It's the clue indicating that this packet is actually unusable. And that's what the man page means when it says:
"The second form of the command has the special property to render the secret part of the primary key useless."
The purpose of this command is to create a situation where only the private subkeys are available on the machine, while the master private key is stored offline.
Damien
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
