Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
I've been googling for an hour now and nowhere is it documented that --export-secret-key would delete the key from the local keyring.
-
@lbfalvy Yeah I also looked up the man page and didn't find anything, but given the OP's experience, I wondered whether there's some gotcha that I overlooked.
-
GPG has an --armor flag to export in an ASCII way...
You should use it in general, as it prevents possible errors of passing.
--export-secret-keys shouldn't delete the keys at all.
SCP does an secure transfer, but you should be aware (as the secret keys are the epitome of stuff that shouldn't be public accessible) that it doesn't retain permissions by default.
So if you create the file "on the fly" it will use the _remote_ hosts permissions, most likely based on the umask (not entirely sure, long time ago).
Which might be absolutely not what you want, especially if the umask has group permissions set and you create a world readable file with your GPG secret key that anyone can access.
If you create the file with correct permissions and use SCP -p to retain permissions, you can prevent this.
Last but not least: Piping seems like a clever way, but it can have severe side effects, especially if you overlook stuff.
I'm very confused about the SCP part...
I would have never expected SCP to accept a piped input.
I could be totally wrong, as I try to avoid piping with remote commands for the reason that if I do something wrong, I might be in serious trouble.
(Funny stories of RSYNC / SCP and dead hosts as stuff has gone horribly wrong and e.g. important system files got overwritten....)
I'm aware of SSH accepting input and being able to "cat" it… like net cat / nc...
Maybe something went terribly wrong at that stage. Absolutely not sure, as I really wouldn't do it.
Related Rants
DO NOT EXPORT GPG KEYS _TEMPORARILY_ AND ASSUME THAT THEY'LL BE IN THE ORIGINAL LOCATION AFTER EXPORT!
I learnt this lesson the hard way.
I had to use a GPG key from my personal keyring on a different machine ( that I control ). This was a temporary one-time operation so I thought I might be a smart-ass and do the decryption on the fly.
So, the idiotic me directly piped the output : `gpg --export-secret-key | scp ...`. Very cool ( at the time ). Everything worked as expected. I was happy. I went to bed.
In the morning, I had to use the same key on the original machine for the normal purpose I'd use it for and guess what greeted me? - *No secret key*
*me exclaims* : What the actual f**k?!
More than half a day of researching on the internet and various trials-and-errors ( I didn't even do any work for my employer ), I finally gave up trying to retrieve / recover the lost secret key that was never written to a file.
Well, to be fair, it was imported into a temporary keyring on the second machine, but that was deleted immediately after use. Because I *thought* that the original secret key was still in my original keyring.
More idiotic was the fact that I'd been completely ignorant of the option called `--list-secret-keys` even after using GPG for many years now. My test to confirm whether the key was still in place was `--list-keys` which even now lists the user ID. Alas, now without a secret key to do anything meaningful really.
Here I am, with my face in my hands, shaking my head and almost crying.
rant
gpg
fail
secret key