323

I'm trying to copy my gpg key from one machine to another.

I do:

gpg --export ${ID} > public.key
gpg --export-secret-key ${ID} > private.key

Move files to new machine, and then:

gpg --import public.key
gpg: nyckel [ID]: public key [Name, e-mail] was imported
gpg: Total number of treated keys: 1
gpg:                 imported: 1  (RSA: 1)

gpg --allow-secret-key-import private.key
sec  [?]/[ID] [Creation date] [Name, e-mail]
ssb  [?]/[SUB-ID] [Creation date]

All looks good to me, but then:

$ gpg -d [file].gpg
gpg: encrypted with 4096-bit RSA-key, id [SUB-ID], created [Creation date]
  [Name, e-mail]
gpg: decryption failed: secret key not accessible

So the error message says that the file has been encrypted with [SUB-ID], which the secret key import appears to say it has imported. (The [SUB-ID] in both messages is the same).

So I'm clearly doing something wrong, but I don't know what.

user50849
  • 5,202

3 Answers3

324

You need to add --import to the command line to import the private key. (You don't need to use the --allow-secret-key-import flag. According to the man page: "This is an obsolete option and is not used anywhere.")

gpg --import private.key
Greg Dubicki
  • 372
Celada
  • 44,132
  • 1
    Any chance you'd also know why gpg2 -e -r [ID] says "There is no assurance this key belongs to the named user"? I wish I had included it in the original question, but I noticed it only later. – user50849 Feb 16 '15 at 07:54
  • 1
    GnuPG maintains a trust database which it uses to decide how much to trust what keys. For example, trust your own keys the most, keys that aren't directly or indirectly signed by any trusted keys the least. After you've just imported to an empty database, probably no keys at all are trusted. This trust database is separate from the database or keys themselves, so importing keys does not make them trusted unless they are signed by some already-trusted key. You have to stell GnuPG which keys you want to trust separately. – Celada Feb 16 '15 at 09:19
  • 5
    @Celeda, thanks, with --edit-key and and the trust command I managed to get the key trusted. Since my original question was how to copy the key from one machine to another, I think it would be appropriate to add something about that to your answer. I'd prefer not to edit your answer myself, and you seem to know a lot more than me about this. – user50849 Feb 16 '15 at 10:05
  • I don't feel that I understand the trustdb well enough to talk about it in my answer. I'm glad you were able to work it out using the vague hints I gave in my comment. – Celada Feb 16 '15 at 11:53
  • Ok, I've re-titled the original question so it more specifically fits with the answer. That way I can ask a separate question the trustdb. Thanks for the help. :) – user50849 Feb 16 '15 at 16:07
  • Regarding the owner trust, you can use gpg2 --export-ownertrust > trustfile.txt and gpg2 --import-ownertrust trustfile.txt to copy your trust settings. To do all in one step from one machine to the other, use gpg2 --export-ownertrust | ssh user@othermachine gpg2 --import-ownertrust. Pretty cool, I think :-) This also works for the key export/import. – JoeGo Aug 25 '17 at 15:24
  • for making the above work on current MacOS (using zsh) please see this: https://stackoverflow.com/a/27042267/5088194 – leerssej Jan 28 '20 at 20:46
181

Above is only a partial answer. Complete answer is:

gpg --import private.key

  • Given the KEYID (e.g FA0339620046E260) from the output:

      gpg --edit-key {KEY} trust quit
  # enter 5<RETURN> (I trust ultimately)
  # enter y<RETURN> (Really set this key to ultimate trust - Yes)

  • OR use the automated command below:

      expect -c 'spawn gpg --edit-key {KEY} trust quit; send "5\ry\r"; expect eof'

Finally, verify that key is now trusted with [ultimate] instead of [unknown]

gpg --list-keys
ruohola
  • 282
cmcginty
  • 2,683
  • 4
  • 21
  • 12
  • What do these extra commands do? – steinybot Aug 26 '18 at 07:24
  • 4
    @Steiny It makes the key trusted with [ultimate] instead of [unknown]. https://gpgtools.tenderapp.com/kb/faq/what-is-ownertrust-trust-levels-explained – cmcginty Oct 24 '18 at 19:22
  • They chain the commands to what you are prompted. You can leave trust and quit off the command and just enter them when prompted. Note entering the 5 and y are responses to trust so entered before quit. – flurdy Jun 14 '23 at 15:02
18

I was importing from a backup that had an old version of gpg. Since the old computer wasn't available, only the backup, I couldn't export it first. This is what worked for me.

gpg --import old_home_dir/.gnupg/pubring.gpg
gpg --import old_home_dir/.gnupg/secring.gpg

If you want to be able to import secret keys without entering the passphrase immediately, use the --batch option.

To verify the public keys:

gpg --list-keys

To verify the secret keys:

gpg --list-secret-keys
Jonathan Tran
  • 281