Cannot export secret PGP keys with GnuPG

Question

DISCLAIMER: GPG Noob

I just sent my master key and two of my three subkeys to a Yubikey without knowing they would be removed from my keyring and replaced by a stub.

After that I tried to get my subkeys back in case they were still around. I can see my key and subkeys in GPG Keychain OSX app. When listing with gpg -k and gpg -K, I get all the public keys associated with my master and subkeys but only the secrets for my master key and one of the subkeys (the one I didnt exported to the yubikey).

Trying to debug more, I decided to use a newer version of gpg to merge keys and so on hoping I can get the secrets back (I guess at this point it was already impossible but I kept trying)

Using gpg (GnuPG/MacGPG2) 2.0.30, it tells me I have one master secret key and two secret subkeys.

gpg -K
/Users/john/.gnupg/secring.gpg
------------------------------------
sec  4096R/XXXXXXXX 2016-07-07 [expires: 2020-07-07]
uid                  John Doe <[email protected]>
ssb  4096R/YYYYYYYY 2016-12-28
ssb  4096R/ZZZZZZZZ 2017-09-16

Using gpg (GnuPG) 2.1.20 in a container with the same keyring (mounted as a volume), it tells me I have one master secret and three secret subkeys.

gpg -K
/root/.gnupg/pubring.gpg
------------------------
sec   rsa4096 2016-07-07 [SC] [expires: 2020-07-07]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid           [ultimate] John Doe <[email protected]>
ssb   rsa4096 2016-07-07 [E] [expires: 2020-07-07]
ssb   rsa4096 2016-12-28 [S] [expires: 2020-07-07]
ssb   rsa4096 2017-09-16 [A] [expires: 2020-07-06]

If I export my secret keys from the second, remove the secret keys from my keyring and import the exported secret keys (hoping to get the missing secret subkey), all I got are ?stubs?

If I open and split the exported secret keys, I can see some key files are 1.8K and others just 0.5K which seems they dont really contain a secret.

• Why the second and newer version of GPG does not tell me all it has are stubs?
• Why the secrets are not listed as stubs while exporting+importing does?
• Is there a way of recovering my secrets? (I guess no)

Answer 1

Why the second and newer version of GPG does not tell me all it has are stubs? Why the secrets are not listed as stubs while exporting+importing does?

You're using gpg 2.0. I have gpg 2.1 and here's what my gpg -K output looks like (uppercase K, i.e. --list-secret-keys):

sec#  rsa4096/0xB1349B0B4B8B7600 2017-10-20 [SC] [expires: 2018-10-20]
      Key fingerprint = 0F4C 3317 9224 ACA4 C601  A8FB B134 9B0B 4B8B 7600
uid                   [ultimate] Rouben Tchakhmakhtchian <[email protected]>
uid                   [ultimate] Rouben Tchakhmakhtchian <[email protected]>
uid                   [ultimate] Rouben Tchakhmakhtchian <[email protected]>
ssb>  rsa4096/0x8032EA4BFC7DEEC0 2017-10-20 [S] [expires: 2018-10-20]
ssb>  rsa4096/0xEE1E4539902F8149 2017-10-20 [E] [expires: 2018-10-20]
ssb>  rsa4096/0x9812857C9C2436E1 2017-10-20 [A] [expires: 2018-10-20]

Is there a way of recovering my secrets? (I guess no)

Check ~/.gnupg/private-keys-v1.d hopefully your secret keys will be there... if anything, if you set up your key like I did (only my subkeys are on the YubiKey, the master key is on an offline encrypted backup medium), you can still use the master key to edit the keys (master and subkeys) as you see fit.