Private key storage hashed vs mac

Werner Koch wk at
Thu Feb 21 11:15:36 CET 2013

On Thu, 21 Feb 2013 08:55, kylebutt at said:
> I'm curious about the private key storage. Currently the integrity of
> the key is protected by a sha1 of the plaintext. Were there
> discussions around using encrypt then authenticate with a mac?

The reason this scheme is used is because it is identical to the modern
OpenPGP way protecting keys.

We had this discussion a decade ago and it pops up on cryptography@ from
time to time.  However, if you want to evaluate this, please also
consider that a (protected) private key is not intended to be send over
any public channel [1] but merely acts as a fail stop mitigation in case
an attacker got physical access to the machine.  If it is possible for
attacker to gain access to the protected key he should also be able to
install malware to retrieve an unprotected copy of the key.



[1] Modulo Robert's offer to run an NYT ad with his private key.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list