Work remaining for a 2.1 release?

NIIBE Yutaka gniibe at
Thu Feb 14 05:20:49 CET 2013

On 2013-02-13 at 17:48 -0800, Kyle Butt wrote:
> Can you give me a brief explanation of why the passphrase is needed
> for import?

I think that it's because of the difference between the encryption
mode of secring.gpg and the one under private-keys-v1.d/.

(I don't know the technical reason why it's different.)

According to RFC4880, secret-key packet is encrypted by CFB mode.

According to gnupg/agent/keyformat.txt, the latter only supports
the protection mode of openpgp-s2k3-sha1-aes-cbc.

If the protection mode of secret-key packet were supported by new
secret key storage, it would be possible to move such secret keys as
opaque data from secring.gpg to private-keys-v1.d/.

Currently, we need to decrypt the secret-key packet and to encrypt
again into the file under private-keys-v1.d/.  To decrypt/encrypt,
we use passphrase.

More information about the Gnupg-devel mailing list