From the docs:
--export-secret-keys--export-secret-subkeysSame as
--export, but exports the secret keys instead. The exported keys are written to STDOUT or to the file given with option--output. This command is often used along with the option--armorto allow for easy printing of the key for paper backup; however the external tool paperkey does a better job of creating backups on paper. Note that exporting a secret key can be a security risk if the exported keys are sent over an insecure channel.The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully import such a key. Its intended use is in generating a full key with an additional signing subkey on a dedicated machine. This command then exports the key without the primary key to the main machine.
GnuPG may ask you to enter the passphrase for the key. This is required, because the internal protection method of the secret key is different from the one specified by the OpenPGP protocol.
I don’t understand what "The second form of the command has the special property..." means and I spent a considerable amount of time trying to figure it out searching the web.
Trying to figure out if using --export-secret-keys includes master and subkeys (in the context of backing up both). This is sensitive stuff... want to make sure I have my facts straight.
Can someone please ELI5?
gpg --export-secret-keys | gpg --list-packetsandgpg --export-secret-subkeys | gpg --list-packets. The second form will give you agnu-dummy S2Kinstead of the real primary secret key.