How to Export Private / Secret ASC Key to Decrypt GPG Files
Solution 1
You can export the private key with the command-line tool from GPG. It works on the Windows-shell. Use the following command:
gpg --export-secret-keys
A normal export with --export
will not include any private keys, therefore you have to use --export-secret-keys
.
Edit:
To sum up the information given in my comments, this is the command that allows you to export a specific key with the ID 1234ABCD to the file secret.asc:
gpg --export-secret-keys --armor 1234ABCD > secret.asc
You can find the ID that you need using the following command. The ID is the second part of the second column:
gpg --list-keys
To Export just 1 specific secret key instead of all of them:
gpg --export-secret-keys keyIDNumber > exportedKeyFilename.asc
keyIDNumber is the number of the key id for the desired key you are trying to export.
Solution 2
All the above replies are correct, but might be missing one crucial step, you need to edit the imported key and "ultimately trust" that key
gpg --edit-key (keyIDNumber)
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
and select 5 to enable that imported private key as one of your keys
Solution 3
See the treatment by Dark Otter
https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/
If the site is down use reference the archive.org backup:
which includes a reasonably secure way to transfer keys. You could put that recommendation into shell-scripts shown below for repeated use.
First get the KEYID you want from the list shown by
$ gpg -K
From the resulting list note the KEYID (the 8 hexadecimals following sec) you need for transfer.
Then envoke the tested shell scipts "export_private_key" on the first account and generate your pubkey.gpg + keys.asc. Subsequently invoke on the second account "import_private_key". Here is their content shown with cat (copy & paste content):
$ cat export_private_key
gpg -K
echo "select private key"
read KEYID
gpg --output pubkey.gpg --export $KEYID
echo REMEMBER THE COMING PASS-PHRASE
gpg --output - --export-secret-key $KEYID | \
cat pubkey.gpg - | \
gpg --armor --output keys.asc --symmetric --cipher-algo AES256
ls -l pubkey.gpg keys.asc
#################### E X P O R T _ P R I V A T E _ K E Y #####################
Now tranfer by some means the "pubkey.gpg" (if needed) and the private "keys.asc" to the second account and envoke the below-shown program.
$ cat import_private_key
gpg --no-use-agent --output - keys.asc | gpg --import
################### I M P O R T _ P R I V A T E _ K E Y ######################
In Otter's spirit "And that, should be, that".
Solution 4
I think you had not yet import the private key as the message error said, To import public/private key from gnupg:
gpg --import mypub_key
gpg --allow-secret-key-import --import myprv_key
Solution 5
this ended up working for me:
gpg -a --export-secret-keys > exportedKeyFilename.asc
you can name keyfilename.asc by any name as long as you keep on the .asc extension.
this command copies all secret-keys on a user's computer to keyfilename.asc in the working directory of where the command was called.
To Export just 1 specific secret key instead of all of them:
gpg -a --export-secret-keys keyIDNumber > exportedKeyFilename.asc
keyIDNumber is the number of the key id for the desired key you are trying to export.
Related videos on Youtube
Brian McCarthy
Noob .NET Developer and UF Gator Graduate from sunny Tampa, FL using C# & VB w/ Visual Studio 2017 Premium. I also do Search Engine Optimization Consulting and Wordpress configurations. Feel free to contact me on: LinkedIn, Google +, or Facebook :) Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?" -Brian Kernighan from "Elements of Programming Style
Updated on November 08, 2020Comments
-
Brian McCarthy over 3 years
Background: My boss has tried exporting an ASC key to me with public and private parts but whenever I get the file the private part never loads up and it won't decrypt any files.
We have tried Exporting the ASC Key using:
- Windows Application Kleopatra 2.1 (included in gpg4win)
Windows Application GNU Privacy Assistant (included in gpg4win)
Error: "Decryption failed. Secret Key Not available."
How do you properly export a secret or private asc key to decrypt gpg files?
-
Demento about 13 years@Brian: This will dump the key to the console. If you want to store it in a file, you can redirect the output to an arbitrary filename ("gpg --export-secret-keys > secret.asc").
-
Demento about 13 yearsYou can list all available keys with "--list-keys". The second column will contain IDs like "2048g/1234ABCD". Find the desired key and export it with "gpg --export-secret-keys 1234ABCD > secret.asc", of course changing 1234ABCD with the correct ID. You can also add the "-a" flag. It writes the output with ASCII characters, just in case the binary output is causing trouble.
-
Brian McCarthy about 13 years@demento, thanks for the additional feedback... ill add that to the answer
-
Brian McCarthy about 13 yearsi was asking about exporting from a computer that works... you can only import the key if its on a local server.
-
SIFE about 13 years@Brian McCarthy: What are you trying to say?
-
Demento about 13 years@Brian: This gives you the output in ASCII and not in binary. If you keep it in a file, it doesn't really matter. But once you want to pass it around any other way, the ASCII version is much easier to handle (sending it inline in an email e.g.)
-
farhany almost 11 yearsDo we really need to import the public key if the private one has been imported already? As I understand, a public key can be generated out of a private one anything.
-
SIFE over 10 years@farhany I think yes, because you will need it when you sign your message.
-
rockdaboot almost 10 yearsMaybe you want to carry your secret key to another location. In this case you should encrypt the exported data: "gpg --export-secret-keys keyIDNumber | gpg -c >encrypted" decrypt it with "gpg -o unencrypted encrypted".
-
RichieHH over 9 yearsyou still need the -a if you really want asc
-
Brōtsyorfuzthrāx over 8 yearsDoesn't the first example do the same thing as the second one? I mean, 1234ABCD seems to refer to a single secret key, does it not? However, you imply that it encompasses all of them, somehow. Also, do we get the key ID from the pub or sub row?
-
Ferry Boender about 7 yearsKeys exported from GnuPG remain encrypted (which is why you don't need to enter the private key passphrase), so there's really no need to encrypt it again.
-
M. Volf over 5 yearsI'm getting
error receiving key from agent: Permission denied - skipped
on--export-secret-keys -a [myid]
-
vhs over 4 yearsAccording to
man gpg
use of the option--armor
with--export-secret-keys
is intended for creating paper backups and "presents a security risk" if sent over an insecure channel. -
vhs over 4 years@FerryBoender Are you sure about that?
-
rudolph9 almost 4 yearsAccording to paper copy: > If your key has a passphrase on it (i.e. is encrypted), the paper copy is similarly encrypted Although I have yet to find this in the official GPG doc. Also opened an issue on a gpg yubikey guide github.com/drduh/YubiKey-Guide/issues/195
-
Kyle Zhang almost 3 yearsThe difference between whether has '--armor' option is whether the output is in ascii format. The output is in readable ascii format if '--armor' is added.
-
bam over 2 yearsUnfortunately, this doesn't work if your key was passphrased initially. I filed an issue about it: github.com/open-keychain/open-keychain/issues/2723