A new private key with each export

Every time I export my private key, the key I get is different from the last export. However, they’re also dissimilar from each other in the same way: it’s always only a middle part of the main block, and the last 5 characters before the footer. So it looks like this:

< blank line >
< apx 200 character are the same >
< but the middle section varies >
< then the rest is the same >
< except the last 5 characters are different >

It is possible that something is time based. You can use -vv to gpg when importing
to see the paket-structure. This should get you one step further when analysing this. :slight_smile:


Except this doesn’t pertain to importing keys. Like I said, this is my own key-pair, and the issue happens when I export my private key.

By the way, I tried this and got an error:
gpg -aovv output.asc --export-secret-keys

So I tried this but there was nothing verbose:
gpg -vv -ao output.asc --export-secret-keys

gpg -aovv output.asc cannot work because -o needs a parameter.

There are additional parameters to enable even more diagnostic.
I’d look at the import of the secret key, to see the structure of the OpenPGP msg.

“gpg -o output.asc” does have a parameter: output.asc…
it’s outputting to a file called “output.asc”…

-vv didn’t work because it apparently isn’t implemented for exports.
If you disagree, then just tell me how to get verbose detail during export.

I don’t understand what your suggesting about importing my own private key. Are you saying I should back up my key-pair, delete it, then import it from the backup file while using -vv?

Isn’t there some other way to get the diagnostic info w/o importing?

-debug=all will get you more infos when exporting.

gpg -v --list-packets will parse the OpenPGP file and output its structure.

When trying to import a key that you already have, you can also see its structure,
but --list-packets is probably better.

Someone in another forum said this to me:

“If your private key is passphrase protected, then the exported key is also encrypted. So your private key is encrypted newly with each export. And that will generate a different output each and every time.”

Is that true?

It is correct that an exported key is encrypted (as far as I know).

Again I expect a datetime of the export to be in the data as cause for the binary difference.

Okay, but he also said “your private key is encrypted newly with each export. And that will generate a different output each and every time.”
Is that true - that each export will be different by design?
Can you test that for me yourself with your own key-pair? Assuming your private key is password-protected, can you tell me if you get a different output every time you export it?

How would a datetime get in to the data though?
I did nothing special when I generated my key-pair.

Hi Ben,

for me it is the random salt value for the secret-to-key conversion of the passphrase
to the actual key for the symmetric cypher. (See RFC 4880).

To examine this your self, here is how I did it:

gpg2 --export-secret-key XYZ >x
gpg2 --export-secret-key XYZ >y

gpg2 --list-packets x >xl
gpg2 --list-packets y >yl

diff -u xl xy

  •   iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 7A708D0486F22BDB


This time it is the salt, which is chosen randomly.
In many cases binary difference come from date-times includes somehow, e.g. as creation time of the export or signature (which does not seem to be the case for my example, however I was giving general hints how to analyse the situation).


  •   iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: A0C2EB176C55E341


On my Windows system, with the Gpg4win package, the commands are a little different. I include them here for others who may read this thread:
gpg --export-secret-key “Name” > x:\path\private1.key
gpg --export-secret-key “Name” > x:\path\private2.key
gpg --list-packets x:\path\private1.key > x:\path\private1.key.pkts
gpg --list-packets x:\path\private2.key > x:\path\private2.key.pkts

First off, the two exports - private1.key and private2.key - are different from each other in my case. How about you?

Secondly, I have an additional difference in my packet outputs compared to yours - “protect IV”:

iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: <salt 1>
protect IV: <hex string 1>

iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: <salt 2>
protect IV: <hex string 2>

Hello Ben,
if a salted password is used, then the files of the exported must be different.
(And they are for me, this is why the Gnu command “diff” shows differences.)

Please read rfc4480 and about its cryptography why this leads to other differences.


Why didn’t you say that in the first place?
Why didn’t you say that exported private keys are supposed to be different from each other when you responsed to my first post?
Someone already gave me this answer in another thread.

In my first answers I wanted to give you the hints to analyse this yourself. I haven’t had a look into this and I did not know what you knew. :slight_smile: