Extracting Secret Key from pubring.kbx

[shin-san]

I am currently working on doing some simple GPG RSA encryption and decryption using BouncyCastle and I have noticed that the KeyBox model has been introduced in order to support .kbx files.

Now that both pubring and secring are under one file. I was just wondering if it is programmatically possible to extract the secring from the KeyBox model? The current method I had to do is to manually export it from cli which I assume is still the only way to extract it.

I am quite new to this so I may not fully understand how all the classes work in gpg but I don't I came across any classes that allows us to extract the secring from KeyBox directly.

I would like to hear some thoughts regarding this on whether it is feasible or not.

[pragmaxim]

@shin-san Did you figure that out? To my knowledge, since gnupg 2.1+, exporting the keys is necessary so that Bouncy Castle can use them. Which is quite unpleasant because users need to build apps that would work seamlessly, assuming that most users have gnupg installed with their personal keys present on the FS.

[Patrick-Harms]

FYI, from gpg 2.1+, the public keys are now in the keybox file. The private/secret keys are now in individual files in the "private-keys-v1.d" directory. The secret keys are reasonably static in my environment. So, I exported the secret key, then wrote code with BC library to parse the exported secret key file (which is in a secure format, but in my environment it is stored in a secure vault from HashiCorp).

[bodhi-one]

To review, AFAIK, bouncycastle team has decided to not support PGP secret keys being placed in a .kbx file. From one view, this seems quite odd because secring.pgp and pubring.pgp were the bouncycastle support methods of doing things for years. But with gpg 2.1 and the move to .kbx files, there is no longer support for PGP secret keys. What happened? It was strange enough that the abandonment of .pgp files occurred during a minor release (2.0 -> 2.1) but it feels like PGP in general has been abandoned by the major API players. In exchanging files across corporations, PGP is still very much in use. Was there something in the .kbx spec that mean that providers like bouncycastle felt they could just ignore the combination of PGP secret keys and .kbx files ?