why exporting private key without passphrase

David Shaw dshaw at jabberwocky.com
Fri Jul 6 16:06:25 CEST 2007

On Wed, Jul 04, 2007 at 12:18:16PM -0300, jesus martinez wrote:
> hello. my name is jesus and am writing to you from
> argentina.
> i noticed that using GnuPG anyone who has access to
> a machina where its installed, can export any private
> key without being asked the correct passphrase.
> isnt it a security issue ? what is a computer is
> a public one ?

In general, the secret keyring is not protected in any way - there is
little point.  After all, even if GPG added some passphrase protection
before it would export a key, you can just go around GPG and do
something like "cp secring.gpg /mnt/my-thumb-drive" and take the whole

That said, however, if you are running SELinux you can prevent
anything but GPG from reading the secring.gpg.  In that case, a
passphrase requirement for export is meaningful and useful.  It's
actually on the todo list, but hasn't happened yet.


More information about the Gnupg-devel mailing list