2.1 key migration

Werner Koch wk at gnupg.org
Wed May 22 11:24:09 CEST 2013


I just pushed this change for GnuPG 2.1 (i.e. git master):

    Implement unattended OpenPGP secret key import.
    With the gpg-agent taking care of the secret keys, the user needs to
    migrate existing keys from secring.gpg to the agent.  This and also
    the standard import of secret keys required the user to unprotect the
    secret keys first, so that gpg-agent was able to re-protected them
    using its own scheme.  With many secret keys this is quite some
    usability hurdle.  In particular if a passphrase is not instantly
    To make this migration smoother, this patch implements an unattended
    key import/migration which delays the conversion to the gpg-agent
    format until the key is actually used.  For example:
       gpg2 --batch --import mysecretkey.gpg
    works without any user interaction due to the use of --batch.  Now if
    a key is used (e.g. "gpg2 -su USERID_FROM_MYSECRETKEY foo"), gpg-agent
    has to ask for the passphrase anyway, converts the key from the
    openpgp format to the internal format, signs, re-encrypts the key and
    tries to store it in the gpg-agent format to the disk.  The next time,
    the internal format of the key is used.
    This patch has only been tested with the old demo keys, more tests
    with other protection formats and no protection are needed.

Further work will be to compare the time of the last import to the
timestamp of secring.gpg and print a note if secring.gpg is newer.  A
one time pop-up window should also be presented to tell the user how to
migrate the keys and offer to start a migration.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list