Exporting Secret Keys
Exporting secret keys is, functionally, very similar to exporting public keys; save for the invocation of pinentry via gpg-agent in order to securely enter the key's passphrase and authorise the export.
The following example exports the secret key to a file which is then set with the same permissions as the output files created by the command line secret key export options.
import gpg import os import os.path import sys print(""" This script exports one or more secret keys. The gpg-agent and pinentry are invoked to authorise the export. """) c = gpg.Context(armor=True) if len(sys.argv) >= 4: keyfile = sys.argv[1] logrus = sys.argv[2] homedir = sys.argv[3] elif len(sys.argv) == 3: keyfile = sys.argv[1] logrus = sys.argv[2] homedir = input("Enter the GPG configuration directory path (optional): ") elif len(sys.argv) == 2: keyfile = sys.argv[1] logrus = input("Enter the UID matching the secret key(s) to export: ") homedir = input("Enter the GPG configuration directory path (optional): ") else: keyfile = input("Enter the path and filename to save the secret key to: ") logrus = input("Enter the UID matching the secret key(s) to export: ") homedir = input("Enter the GPG configuration directory path (optional): ") if homedir.startswith("~"): if os.path.exists(os.path.expanduser(homedir)) is True: c.home_dir = os.path.expanduser(homedir) else: pass elif os.path.exists(homedir) is True: c.home_dir = homedir else: pass try: result = c.key_export_secret(pattern=logrus) except: result = c.key_export_secret(pattern=None) if result is not None: with open(keyfile, "wb") as f: f.write(result) os.chmod(keyfile, 0o600) else: pass
Alternatively the approach of the following script can be used. This longer example saves
the exported secret key(s) in files in the GnuPG home directory, in addition to setting the
file permissions as only readable and writable by the user. It also exports the secret
key(s) twice in order to output both GPG binary (.gpg) and ASCII armoured
(.asc) files.
import gpg import os import os.path import subprocess import sys print(""" This script exports one or more secret keys as both ASCII armored and binary file formats, saved in files within the user's GPG home directory. The gpg-agent and pinentry are invoked to authorise the export. """) if sys.platform == "win32": gpgconfcmd = "gpgconf.exe --list-dirs homedir" else: gpgconfcmd = "gpgconf --list-dirs homedir" a = gpg.Context(armor=True) b = gpg.Context() c = gpg.Context() if len(sys.argv) >= 4: keyfile = sys.argv[1] logrus = sys.argv[2] homedir = sys.argv[3] elif len(sys.argv) == 3: keyfile = sys.argv[1] logrus = sys.argv[2] homedir = input("Enter the GPG configuration directory path (optional): ") elif len(sys.argv) == 2: keyfile = sys.argv[1] logrus = input("Enter the UID matching the secret key(s) to export: ") homedir = input("Enter the GPG configuration directory path (optional): ") else: keyfile = input("Enter the filename to save the secret key to: ") logrus = input("Enter the UID matching the secret key(s) to export: ") homedir = input("Enter the GPG configuration directory path (optional): ") if homedir.startswith("~"): if os.path.exists(os.path.expanduser(homedir)) is True: c.home_dir = os.path.expanduser(homedir) else: pass elif os.path.exists(homedir) is True: c.home_dir = homedir else: pass if c.home_dir is not None: if c.home_dir.endswith("/"): gpgfile = "{0}{1}.gpg".format(c.home_dir, keyfile) ascfile = "{0}{1}.asc".format(c.home_dir, keyfile) else: gpgfile = "{0}/{1}.gpg".format(c.home_dir, keyfile) ascfile = "{0}/{1}.asc".format(c.home_dir, keyfile) else: if os.path.exists(os.environ["GNUPGHOME"]) is True: hd = os.environ["GNUPGHOME"] else: hd = subprocess.getoutput(gpgconfcmd) gpgfile = "{0}/{1}.gpg".format(hd, keyfile) ascfile = "{0}/{1}.asc".format(hd, keyfile) try: a_result = a.key_export_secret(pattern=logrus) b_result = b.key_export_secret(pattern=logrus) except: a_result = a.key_export_secret(pattern=None) b_result = b.key_export_secret(pattern=None) if a_result is not None: with open(ascfile, "wb") as f: f.write(a_result) os.chmod(ascfile, 0o600) else: pass if b_result is not None: with open(gpgfile, "wb") as f: f.write(b_result) os.chmod(gpgfile, 0o600) else: pass