3

Something I noticed, when I use gpg --export-secret-keys -a on different computers:

My private key looks different, even though they are the same key pair. Is that normal or does this indicate something is not the same? The key has the same fingerprint across devices, so I assume them to be the same, especially since I exported from one and imported to another.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Chris Neitzer
  • 141
  • 2

2 Answers2

1

This is more of a troubleshooting question than a security question. I will ask several questions to help you identify the problem:

  • Are you using the same version of GPG on all systems?
  • Are you using the same encryption algorithm for the key in all cases?
  • Are you using GPG in all cases, or are you also using PGP?

Read: GnuPG Frequently Asked Questions question 5.7 which says:

Another possibility is this: by default, GnuPG encrypts your secret key using the Blowfish symmetric algorithm. Older PGPs will only understand 3DES, CAST5, or IDEA symmetric algorithms. Using the following method you can re-encrypt your secret gpg key with a different algo:

  $ gpg --s2k-cipher-algo=CAST5 --s2k-digest-algo=SHA1 \
        --compress-algo=1  --edit-key <username>
Community
  • 1
Brent Kirkpatrick
  • 940
  • 4
  • 19
  • Between my Macs the version is the same (gpg (GnuPG/MacGPG2) 2.0.28, libcrypt 1.6.3). Also, it seems that if I specify my fingerprint with the command used to print the private key to STDOUT, my Macs agree perfectly. I think it was including an old, revoked private key perhaps.At any rate, the version is different on my Linux machine (gpg (GnuPG) 2.1.11, libcrypt 1.6.5) and the private key it prints to STDOUT looks different than that on my Mac. But I can encrypt/decrypt between machines without issue. – Chris Neitzer Mar 18 '16 at 15:37
0

OpenPGP messages and also exported keys are assembled by many OpenPGP packets, which even might again be split in subpackets. There are lots of different ways to assemble them.

There are many possible reasons for getting different secret key exports:

  • multiple keys might be exported in different order
  • different versions of GnuPG print equivalent, but slightly different output within the OpenPGP specifications
  • different options for symmetric encryption (with the passphrase given) are applied, or just different initialization vectors are used
  • the exported secret key might also contain different sets of signatures on the public key, which also might be ordered differently

Likely, even multiple of those reasons apply. You can have a look at the exported key's contents by running gpg --list-packets [file]. You could do with both exports, and use diff (or some more advanced graphical user interface) to compare the results. Reading RFC 4880, OpenPGP might be required to understand the output details.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96