why exporting private key without passphrase
David Shaw
dshaw at jabberwocky.com
Fri Jul 6 16:06:25 CEST 2007
On Wed, Jul 04, 2007 at 12:18:16PM -0300, jesus martinez wrote:
>
> hello. my name is jesus and am writing to you from
> argentina.
>
> i noticed that using GnuPG anyone who has access to
> a machina where its installed, can export any private
> key without being asked the correct passphrase.
>
> isnt it a security issue ? what is a computer is
> a public one ?
In general, the secret keyring is not protected in any way - there is
little point. After all, even if GPG added some passphrase protection
before it would export a key, you can just go around GPG and do
something like "cp secring.gpg /mnt/my-thumb-drive" and take the whole
keyring.
That said, however, if you are running SELinux you can prevent
anything but GPG from reading the secring.gpg. In that case, a
passphrase requirement for export is meaningful and useful. It's
actually on the todo list, but hasn't happened yet.
David
More information about the Gnupg-devel
mailing list