Export Android Openkeychain/PGP Private Key to PC using GunPG (Linux)

May 3, 2021

Export Key

You can easily export public key

  • Select key
  • Click share icon

But public key can only be used for decrypt, not encrypt or sign.

To export private key

  • Select key
  • Click Backup key (via triple-horizontal-dot)

You need to write down 4x3x3 = 36 digit backup code. Sadly, there is not copy function/button, so you have to do it manually. It is very easy to make a mistake, so make sure you double and triple check. If possible, leave the screen open.

Check the I ghave written down this backup code. checkbox.

Click Share Backup (e.g. via Dropbox) or Save Backup.

Ubuntu Import Key

Install GnuPG

sudo apt-get install gnupg

To import public key only

gpg --import key.asc

To import private key

gpg --decrypt /media/sf_lubuntu/pgp/backup_YYYY-MM-DD.sec.pgp | gpg --import

Then you will be promoted to key in the backup code.

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 31
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
gpg: key 18F78DBB0FF7C00B: "test <test@mydomain.com>"
gpg: key 18F78DBB0FF7C00B: secret key imported
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Previosuly I bump into the following error with no prompt for backup code. I suspect it is due to I imported the public key prior to this and it sort fail to decrypt the backup key.

Solution: I deleted the public key via gpg --delete-key test (list all keys via gpg --list-key). I am sure there is a better solution, such as change the default key or something.

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 31
gpg: AES256 encrypted data
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Encrypt

Encrypt text

echo "I am from PC" | gpg --encrypt --armor --sign --default-key test -r test
  • --armor generate ascii output.
  • --sign is optional and need private key.
  • --default-key needed if you have multiple key
  • -r or --recipientis mandatory: can use name test or email test@mydomain.com

Encrypt file

gpg --encrypt --armor --sign --default-key test -r test samplex.txt

sample.txt.asc will be generated.

Decrypt

Decrypt File

gpg --decrypt sample.txt.asc > out.txt

Decrypt File to std output

gpg --decrypt sample.txt.asc 2>/dev/null

References:

This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.