OpenGPG PEM key

I’m working through the instructions to import OpenPGP key and it indicates that you should export your secret key using…

$ gpg --output private.asc --armor --export-secret-key <YOUR EMAIL>

This gives me the private.asc file in armor format. The next step is to follow the instructions here to “load the private.asc key onto OnlyKey”.

Wasn’t sure this would work as its in armor format rather than PEM and the OnlyKey App and screenshots clearly state it should be in PEM format, but went ahead and gave it a whirl, selecting “Auto Load” for the slit, putting the key in config mode, pasting the text into the box and entering my password.

On clicking “Save to OnlyKey” the message Error parsing PGP key: Invalid enum value. which I assume is because the format is incorrect.

How does one convert the armor exported OpenPGP key to PEM? If its possible could the documentation be updated to include this?

Thanks in advance,


The PEM format (base 64 encoded DER) is the armor format. The error you received indicated your PGP key is not using standard supported options. If you are using advanced options like multiple subkeys the auto load will not work, that only works with standard keys. You can still load these but you would have to select which subkey to use as your signing key and which one to use with your encryption key. There is more information on this here - Import keys from Keybase, Protonmail, and GPG | Docs

Ahha, thank you for pointing that out, I’d managed to overlook that key aspect.

I’ve tried following the instructions

  1. Export the OpenPGP compatible private key from GPG
❱ gpg2 --list-keys
pub   ed25519 2020-11-20 [SC]
uid           [ultimate] Your Name <>
sub   cv25519 2022-04-20 [E]
sub   ed25519 2022-04-20 [A]
sub   ed25519 2022-04-20 [S]

gpg2 --with-colons --list-keys KJAA23980KALSJD0913UAJKNETAQ9082398345RU
  1. Put the OnlyKey Duo into config mode by holding down button #1 for 10+ seconds.

  2. The advice is geared towards OnlyKey not OnlyKey Duo and states you should…

Copy and paste the private key into the RSA Private Key box. Ensure slot 1 is selected, the same passphrase you used with GPG is entered as passphrase, Set as decryption key is selected. If you wish to use your PGP to encrypt OnlyKey backups select Set as backup key (Note: If you previously set a backup passphrase and set this the PGP key will be used instead). When finished select Save to OnlyKey

…under the “Keys” tab there is no “RSA Private key box” and my key is an Elliptic Curve Cryptography (ECC) key so I selected the Slot as ECC 1 (101) and pasted my key as returned by gpg2 --export-secret-key -a "F into the Key: box.

  1. Ticked the box Decryption key (use to decrypt messages)

  2. Entered my passphrase in the field.

  3. Click Save to OnlyKey

Was told Error parsing PGP key: Invalid enum value as I previously was. The only difference is that I have selected “Decryption key” this time.

Based on the documentation and perhaps my poor reading of it I tried pasting in the listed keys from gpg2 --with-colons --list-keys <KEY>, primarily that marked with e but without success and was told…

Error parsing PGP key: Cannot read properties of undefined (reading 'decrypt')

It looks like your GPG key is in a non standard format with 3 subkeys. We currently support keys generated using the standard options in the guide, if things like multiple subkeys are needed you can manually load subkeys.

The issue is likely that OpenPGP.js does not know how to parse the custom key. There is an alternative way of loading keys onto OnlyKey using the advanced tab in the app. There you can load directly the 32 byte private key (p256 or ed25519). In order to get that 32 byte private key other users have had luck following the instructions here - Add support for GPG keys with multiple subkeys · Issue #166 · trustcrypto/OnlyKey-App · GitHub

1 Like