How to Export Private / Secret ASC Key to Decrypt GPG Files

187,524

Solution 1

You can export the private key with the command-line tool from GPG. It works on the Windows-shell. Use the following command:

gpg --export-secret-keys

A normal export with --export will not include any private keys, therefore you have to use --export-secret-keys.

Edit:

To sum up the information given in my comments, this is the command that allows you to export a specific key with the ID 1234ABCD to the file secret.asc:

gpg --export-secret-keys --armor 1234ABCD > secret.asc

You can find the ID that you need using the following command. The ID is the second part of the second column:

gpg --list-keys

To Export just 1 specific secret key instead of all of them:

gpg --export-secret-keys keyIDNumber > exportedKeyFilename.asc

keyIDNumber is the number of the key id for the desired key you are trying to export.

Solution 2

All the above replies are correct, but might be missing one crucial step, you need to edit the imported key and "ultimately trust" that key

gpg --edit-key (keyIDNumber)
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

and select 5 to enable that imported private key as one of your keys

Solution 3

See the treatment by Dark Otter

https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/

If the site is down use reference the archive.org backup:

https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/

which includes a reasonably secure way to transfer keys. You could put that recommendation into shell-scripts shown below for repeated use.

First get the KEYID you want from the list shown by

$ gpg -K

From the resulting list note the KEYID (the 8 hexadecimals following sec) you need for transfer.

Then envoke the tested shell scipts "export_private_key" on the first account and generate your pubkey.gpg + keys.asc. Subsequently invoke on the second account "import_private_key". Here is their content shown with cat (copy & paste content):

$ cat export_private_key 
gpg -K
echo "select private key"
read KEYID
gpg --output pubkey.gpg --export $KEYID
echo REMEMBER THE COMING PASS-PHRASE
gpg --output - --export-secret-key $KEYID | \
   cat pubkey.gpg - | \
   gpg --armor --output keys.asc --symmetric --cipher-algo AES256
ls -l pubkey.gpg keys.asc
####################  E X P O R T _ P R I V A T E _ K E Y  #####################

Now tranfer by some means the "pubkey.gpg" (if needed) and the private "keys.asc" to the second account and envoke the below-shown program.

$ cat import_private_key 
gpg --no-use-agent --output - keys.asc | gpg --import
###################  I M P O R T _ P R I V A T E _ K E Y  ######################

In Otter's spirit "And that, should be, that".

Solution 4

I think you had not yet import the private key as the message error said, To import public/private key from gnupg:

gpg --import mypub_key
gpg --allow-secret-key-import --import myprv_key

Solution 5

this ended up working for me:

   gpg -a --export-secret-keys > exportedKeyFilename.asc

you can name keyfilename.asc by any name as long as you keep on the .asc extension.
this command copies all secret-keys on a user's computer to keyfilename.asc in the working directory of where the command was called.

To Export just 1 specific secret key instead of all of them:

   gpg -a --export-secret-keys keyIDNumber > exportedKeyFilename.asc

keyIDNumber is the number of the key id for the desired key you are trying to export.

View more solutions

187,524

Brian McCarthy

Noob .NET Developer and UF Gator Graduate from sunny Tampa, FL using C# & VB w/ Visual Studio 2017 Premium. I also do Search Engine Optimization Consulting and Wordpress configurations. Feel free to contact me on: LinkedIn, Google +, or Facebook :) Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?" -Brian Kernighan from "Elements of Programming Style

Updated on November 08, 2020

Comments

Brian McCarthy about 2 years
Background: My boss has tried exporting an ASC key to me with public and private parts but whenever I get the file the private part never loads up and it won't decrypt any files.

We have tried Exporting the ASC Key using:
- Windows Application Kleopatra 2.1 (included in gpg4win)
- Windows Application GNU Privacy Assistant (included in gpg4win)
```
        Error: "Decryption failed. Secret Key Not available." 
```
How do you properly export a secret or private asc key to decrypt gpg files?
Demento over 11 years

@Brian: This will dump the key to the console. If you want to store it in a file, you can redirect the output to an arbitrary filename ("gpg --export-secret-keys > secret.asc").
Demento over 11 years

You can list all available keys with "--list-keys". The second column will contain IDs like "2048g/1234ABCD". Find the desired key and export it with "gpg --export-secret-keys 1234ABCD > secret.asc", of course changing 1234ABCD with the correct ID. You can also add the "-a" flag. It writes the output with ASCII characters, just in case the binary output is causing trouble.
Brian McCarthy over 11 years

@demento, thanks for the additional feedback... ill add that to the answer
Brian McCarthy over 11 years

i was asking about exporting from a computer that works... you can only import the key if its on a local server.
SIFE over 11 years

@Brian McCarthy: What are you trying to say?
Demento over 11 years

@Brian: This gives you the output in ASCII and not in binary. If you keep it in a file, it doesn't really matter. But once you want to pass it around any other way, the ASCII version is much easier to handle (sending it inline in an email e.g.)
farhany over 9 years

Do we really need to import the public key if the private one has been imported already? As I understand, a public key can be generated out of a private one anything.
SIFE over 9 years

@farhany I think yes, because you will need it when you sign your message.
rockdaboot over 8 years

Maybe you want to carry your secret key to another location. In this case you should encrypt the exported data: "gpg --export-secret-keys keyIDNumber | gpg -c >encrypted" decrypt it with "gpg -o unencrypted encrypted".
RichieHH about 8 years

you still need the -a if you really want asc
Brōtsyorfuzthrāx about 7 years

Doesn't the first example do the same thing as the second one? I mean, 1234ABCD seems to refer to a single secret key, does it not? However, you imply that it encompasses all of them, somehow. Also, do we get the key ID from the pub or sub row?
Ferry Boender almost 6 years

Keys exported from GnuPG remain encrypted (which is why you don't need to enter the private key passphrase), so there's really no need to encrypt it again.
M. Volf about 4 years

I'm getting error receiving key from agent: Permission denied - skipped on --export-secret-keys -a [myid]
vhs about 3 years

According to man gpg use of the option --armor with --export-secret-keys is intended for creating paper backups and "presents a security risk" if sent over an insecure channel.
vhs about 3 years

@FerryBoender Are you sure about that?
rudolph9 over 2 years

According to paper copy: > If your key has a passphrase on it (i.e. is encrypted), the paper copy is similarly encrypted Although I have yet to find this in the official GPG doc. Also opened an issue on a gpg yubikey guide github.com/drduh/YubiKey-Guide/issues/195
Kyle Zhang over 1 year

The difference between whether has '--armor' option is whether the output is in ascii format. The output is in readable ascii format if '--armor' is added.
bam over 1 year

Unfortunately, this doesn't work if your key was passphrased initially. I filed an issue about it: github.com/open-keychain/open-keychain/issues/2723