Documentation: what does this warning mean? "export only public certificate"

Hi all,

In the compendium, about exporting certificates, it has this serious sounding warning:
“When you select the menu item, please make sure that you are only exporting your public certificate - and not the certificate of your entire key pair with the associated private key by mistake.”

I don’t understand this sentence. What is a “public” certificate? I made an OpenPGP key pair, and only one certificate was created, so I guess it contains both public and private keys.
When I exported it, it created a text file with only a “-----BEGIN PGP PUBLIC KEY BLOCK-----” section, so I guess it doesn’t contain a private key.

So - how is it even possible to export “the certificate of your entire key pair”?



Yes, if the key block says “Public Key”, it does not contain the private key. And when you create a new key, you are indeed creating both a public and private key at the same time.

In order to export the public and private keys, you would need to do the following:

In Kleopatra, select the key by left-clicking on it. Then click the “File” menu and select “Export secret key”, or right-click the key and select the same option from the pop-up menu. Follow the prompts to complete the process.

In the command prompt, use the command: --export-secret-key. Some examples of how to use this are:

gpg -a -o [filename].asc --export-secret-key [key ID]
gpg -o [filename].txt --export-secret-key [key ID]

The first example uses the “armor” (-a) option, producing an ASCII armored file which will contain only ASCII characters. This is better for printing etc. where you may need to manually reenter the key in case the copy on your PC gets erased somehow. The second example produces a binary output which is easily read by a computer, but is not convenient for manual reentry. The “output” (-o) option stores the output in a file instead of just displaying it on screen, which is what would happen if you didn’t use it. In all of the above examples, both the private and public keys will be exported in one file.

Keep in mind that the only reason you would want to do this is to make a backup of your key, or if you want someone else to be able to decrypt messages which were encrypted with that key. (In that case you simply give that person the file and they can import it into their keyring.)

Note: ANYONE WHO HAS ACCESS TO A COPY OF THE SECRET KEY WILL BE ABLE TO DECRYPT MESSAGES ENCRYPTED WITH THAT KEY! That is why it is recommended that you keep any spare copies of your private (secret) key in a safe location. Never share your private key with anyone whom you don’t want to be able to decrypt messages encrypted with that key!

The public key can (and should) be shared with anyone and everyone whom you want to be able to send you encrypted messages.

In Kleopatra, all of the keys for which you have the private key will be displayed under the “My Certificates” tab. Keys for which you do not have the private key will be displayed under other tabs. In the command prompt, you can see which private keys you have by typing: gpg -K. All public keys can be displayed using: gpg -k.

Hope that helps!

Sean C.