[Gpg4win-users-en] Private and Public Keys and their Extensions

L LSmok3 at riseup.net
Tue Jul 14 02:36:07 CEST 2015

I uninstalled Gpg4Win/GnuPG from my PC altogether, and have just run it
from a GnuPG install on my USB stick using the path setup you advised -
which apparently works but for one more problem, being that it
creates/modifies files on the HDD, not on the USB stick from which it's
running GnuPG: I want it to run completely portably, giving me full
access to Command Line GnuPG with encryption/symmetric file encryption
using only a USB stick and without altering a host computer in any way
(such as a public or net cafe PC, say).

Meanwhile, this test generation has successfully created secret keys;
the last attempt, doing exactly the same thing, but using the install on
my PC, didn't do so, and listing secret keys produced nothing.
Now, I can see the pub/sub/sec/ssb listing in pubring.kbx. I have also
shown the DIR contents of private-keys-v1.d and openpgp-revocs.d.

I still want to be able to control, move and store the files that handle
keys myself, including - as per guidelines, as far as I know - storing
my secret key somewhere safe (I have also seen people use the term
"supersecret" and "master" key but am unclear what they are referring to
other than the private part of the keys generated - Gpg seems to suffer
greatly from an overproliferation of terms and alterernatives, no?).

That's as much as I can do to provide clarification.

Transcript/s follow...


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Myself>gpg --version
gpg (GnuPG) 2.1.4
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Myself/AppData/Roaming/gnupg
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


C:\Users\Myself>gpg --full-gen-key
gpg (GnuPG) 2.1.4; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at 07/14/15 17:07:13 Pacific Daylight Time
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Name
Email address: LSmok3 at riseup.net
Comment: This is a test key
You selected this USER-ID:
    "Name (This is a test key) <LSmok3 at riseup.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key 12FF9771 marked as ultimately trusted
gpg: directory 'C:/Users/CeX/AppData/Roaming/gnupg/openpgp-revocs.d' created
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-07-15
pub   rsa2048/12FF9771 2015-07-14 [expires: 2015-07-15]
      Key fingerprint = 88A8 BF03 7043 AD09 60FB  4A64 636C CB18 12FF 9771
uid       [ultimate] Name (This is a test key) <LSmok3 at riseup.net>
sub   rsa2048/968C3844 2015-07-14 [expires: 2015-07-15]



 Volume in drive C has no label.
 Volume Serial Number is ECDD-8D59

 Directory of C:\Users\Myself\AppData\Roaming\gnupg\private-keys-v1.d

07/13/2015  05:08 PM    <DIR>          .
07/13/2015  05:08 PM    <DIR>          ..
07/13/2015  05:08 PM             1,156
07/13/2015  05:07 PM             1,172
               2 File(s)          2,328 bytes
               2 Dir(s)  293,745,704,960 bytes free

 Volume in drive C has no label.
 Volume Serial Number is ECDD-8D59

 Directory of C:\Users\Myself\AppData\Roaming\gnupg\openpgp-revocs.d

07/13/2015  05:08 PM    <DIR>          .
07/13/2015  05:08 PM    <DIR>          ..
07/13/2015  05:08 PM             1,182
               1 File(s)          1,182 bytes
               2 Dir(s)  293,745,704,960 bytes free


C:\Users\Myself\AppData\Roaming\gnupg\openpgp-revocs.d>gpg -k
pub   rsa2048/12FF9771 2015-07-14 [expires: 2015-07-15]
uid       [ultimate] Name (This is a test key) <LSmok3 at riseup.net>
sub   rsa2048/968C3844 2015-07-14 [expires: 2015-07-15]

sec   rsa2048/12FF9771 2015-07-14 [expires: 2015-07-15]
uid       [ultimate] Name (This is a test key) <LSmok3 at riseup.net>
ssb   rsa2048/968C3844 2015-07-14 [expires: 2015-07-15]

On 7/12/2015 9:11 PM, Daniel Kahn Gillmor wrote:
> Hi L--
> I'll try to answer your questions below, but the narrative style of your
> questions makes it difficult for me to see what's going on concretely.
> Since you seem comfortable using the command line, it would make things
> much clearer if you provided as much of a terminal transcript as
> possible.
> See: https://support.mayfirst.org/wiki/terminal_transcripts for general
> advice on providing terminal transcripts.
> On Sat 2015-07-11 15:56:20 -0400, L wrote:
>> When I generate a key pair using the only commands available in GnuPG, I
>> get TWO files, both with extension .key.
> There are actually several files created or modified, not only two with
> the extension .key.  I think you're talking about files in your GnuPG
> home directory named private-keys-v1.d/<KEYGRIP>.key.  As the
> directory that they're in suggests, those are private keys.  This
> directory is used by GnuPG version 2.1 and later (it is also used by
> older versions of GnuPG when doing S/MIME work).
>> They are apparently named for their fingerprints.
> the files in private-keys-v1.d/ are named for their keygrip, which is a
> different calculation than their fingerprint. (these details are not
> relevant for most users)
>> I have no immediate way of distinguishing what these two files are,
>> are how this corresponds to public and private keys, if at all (you
>> suggest not, I think).
> One of them is the secret part of your primary key, the other is the
> secret part of your subkey.
>> When I input gpg --list-secret-keys, I get nothing. Encrypting a file
>> with my own key and then attempting to decrypt it produces a "no secret
>> key" message.
> These two things make sense together.  if you have no secret keys, then
> decrypting a message should fail with exactly that error message.
> What's less clear to me is why these two things are happening when you
> have files in private-keys-v1.d/ .  what version of gnupg are you using?
> with what installations?  do you have gpg-agent running?
> You can show the answers to these questions with a terminal transcript
> showing the following commands:
>  gpg --version
>  gpg-connect-agent 'getinfo version' /bye
>  gpg --list-secret-keys
>> All of this implies that the creation process is not creating a
>> private/secret key at all, only public ones that can be listed using
>> --list-public-keys (which works) or exported as ascii.
> That would be weird.  the secret key needs to be created at some point
> or it would be impossible to create the OpenPGP certificates.
>> I need a way to identify the .key files created, link them to IDs, and
>> retain the pertinent binary matched to its corresponding ascii key,
>> including isolating my private key (which appears not to exist via this
>> creation method).
> thos files in private-keys-v1.d/ can be associated with other keys by
> keygrip (see --with-keygrip) but you really really do not want to work
> with them manually if possible; they should be controlled by gpg-agent,
> and only by gpg-agent.  if you show what versions of the tools you're
> working with, maybe we'll get more hints.
> Regards,
>         --dkg

More information about the Gpg4win-users-en mailing list