Private key storage hashed vs mac

Kyle Butt kylebutt at
Thu Feb 21 17:22:21 CET 2013

On Feb 21, 2013 2:22 AM, "Werner Koch" <wk at> wrote:
> On Thu, 21 Feb 2013 08:55, kylebutt at said:
> > I'm curious about the private key storage. Currently the integrity of
> > the key is protected by a sha1 of the plaintext. Were there
> > discussions around using encrypt then authenticate with a mac?
> The reason this scheme is used is because it is identical to the modern
> OpenPGP way protecting keys.

Can you point me at the reference for this?

> We had this discussion a decade ago and it pops up on cryptography@ from

Can you point me at the archives for that discussion?

> time to time.  However, if you want to evaluate this, please also
> consider that a (protected) private key is not intended to be send over
> any public channel [1] but merely acts as a fail stop mitigation in case
> an attacker got physical access to the machine.  If it is possible for
> attacker to gain access to the protected key he should also be able to
> install malware to retrieve an unprotected copy of the key.

There are scenarios where an attacker can read or modify your keys without
being able to put malware on a machine.

I wanted to find the discussion, but nothing turned up on Google.

> Salam-Shalom,
>    Werner
> [1] Modulo Robert's offer to run an NYT ad with his private key.
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130221/18d88965/attachment.htm>

More information about the Gnupg-devel mailing list