Skip to content

Instantly share code, notes, and snippets.

@fredreichbier

fredreichbier/gist:4399625

Last active March 10, 2024 09:47
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save fredreichbier/4399625 to your computer and use it in GitHub Desktop.
Save fredreichbier/4399625 to your computer and use it in GitHub Desktop.
Download ZIP
How to extract your private ssh key from gpg-agent
Raw
gistfile1.rst

How to extract a SSH private key from gpg-agent

Problem: Lost private key file ~/.ssh/id_rsa, but could connect to remote hosts via pubkey auth anyway: gpg-agent cached the private key. How to get the private key?

Solution: Use gpg-protect-tool to get the key (you need to know the passphrase of course):

gpgsm --call-protect-tool --p12-export ~/.gnupg/private-keys-v1.d/your-keyfile.key >key.p12

Now you have a PKCS12 file and you can extract the private key like this:

openssl pkcs12 -in key.p12 -out privkey.pem

And there is your extracted private key.

@ansemjo
Copy link

ansemjo commented May 12, 2021

While this is blocked on support in an up-to-date gpgsm you can just use an old version .. for example Debian 8 "Jessie" has gpgsm (GnuPG) 2.0.26, which still has --p12-export. The quickest way for me to use it was in a container, something like this:

$ docker run --rm -it -v ~/.gnupg:/gnupg debian:8
root@f12e2268d754:/# apt update && apt install -y gpgsm
[...]
root@f12e2268d754:/# gpgsm --call-protect-tool --p12-export /gnupg/private-keys-v1.d/KEYGRIP.key > /gnupg/lostkey.p12
root@f12e2268d754:/# exit
$ openssl pkcs12 -in ~/.gnupg/lostkey.p12 -out ~/privkey.pem

@hanyuwei70
Copy link

While this is blocked on support in an up-to-date gpgsm you can just use an old version .. for example Debian 8 "Jessie" has gpgsm (GnuPG) 2.0.26, which still has --p12-export. The quickest way for me to use it was in a container, something like this:

$ docker run --rm -it -v ~/.gnupg:/gnupg debian:8
root@f12e2268d754:/# apt update && apt install -y gpgsm
[...]
root@f12e2268d754:/# gpgsm --call-protect-tool --p12-export /gnupg/private-keys-v1.d/KEYGRIP.key > /gnupg/lostkey.p12
root@f12e2268d754:/# exit
$ openssl pkcs12 -in ~/.gnupg/lostkey.p12 -out ~/privkey.pem

tried, but it didn't work on my ed25519 key, complaing about "error converting key parameters". seems doesn't support ed25519.
But I have decrypted my key and get q,d two integers, finding way to construct final openssh keys.

@hanyuwei70
Copy link

nvm. I have managed to recover my private key by decrypt original key and using cryptography Python library.
if you decrypted your key, there is a d section which is 32 bytes long. Use that in cryptography library to reconstruct your OpenSSH key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment