I would like to keep a GPG secret key passphrase-protected in my personal keyring on my laptop, but also export it as a passphrase-less ASCII-armored file for use in an automated system that has its own secret-management.
At the moment, the best solution I have for this is:
- Edit the key on my keyring, removing the passphrase (using
gpg --edit-key <keyid> passwdas in https://unix.stackexchange.com/a/550538/46453) - Export the key (using
gpg --armor --export-secret-key) - Re-edit the key on my keyring to re-add the passphrase.
Rather than adding and removing the passphrase, it would be nicer to just remove the passphrase as part of the exporting process on the ASCII-armored file. Is this possible?
Unfortunately, GPG does not provide a direct option to export a passphrase-less ASCII-armored secret key. However, you can achieve a similar result by using GPG's capabilities to temporarily disable the passphrase during key export. Here's a step-by-step guide:
Export the secret key without passphrase:
The
export-options export-reset-subkey-passwdoption will temporarily disable the passphrase for the exported subkey. The exported key will not have a passphrase, but your original keyring will remain passphrase-protected.Re-enable the passphrase on your original keyring:
Within the GPG key editor, use the
passwdcommand to set a passphrase for the key.This way, you export the key without a passphrase, but you don't permanently remove the passphrase from your keyring. Remember to securely manage the exported ASCII-armored file, as it won't have passphrase protection.
Please note that GPG is designed to prioritize security, and having a passphrase on your secret key is considered a best practice. Be cautious when handling keys without passphrases, especially if they are used for sensitive operations.