Exporting secret keys does not honor s2k* options on gnupg-modern
Quentin Bourgeois
quentin at bourgeois.eu
Sat Mar 5 01:02:38 CET 2016
Hi,
After playing with two different versions of gnupg I can't
understand why I have different results while exporting secret key.
Used version:
* GnuPG "modern" (2.1.11): from gnupg.org, archlinux package or debian sid
packages
* GnuPG "stable" (2.0.26): from debian jessie packages
While on the stable version exporting a secret key will use the s2k
variable from the gpg.conf file in order to encrypt the data, this is
not done on the modern version.
* An example, my gpg.conf file contains at least the following
s2k-cipher-algo AES256
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712
* On the stable, after exporting a secret key the used algorithms
are AES256 and SHA512
gpg-stable$ gpg2 --output key_stable.asc --export-secret-key 0xA705288CC4B10159
gpg-stable$ gpg2 --list-packets key_stable.asc
:secret key packet:
[...]
iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: c8fb14ee7e02109d
[...]
* Whereas on the modern, the exported key only used the AES128
regardless my configuration
gpg-modern$ ./g10/gpg2 --output key_modern.asc --export-secret-keys 0x0A07DCA573AC5B12
gpg-modern$ ./g10/gpg2 --list-packets key_modern.asc
:secret key packet:
[...]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 893E1125967FBDAC
[...]
Note that i modify the key before exporting it.
After looking some code of the of gnupg 2.11.1 the following line from
g10/export.c:995 could explain
/* Prepare a cipher context. */
err = gcry_cipher_open (&cipherhd, GCRY_CIPHER_AES128,
GCRY_CIPHER_MODE_AESWRAP, 0);
My questions:
* Does having this difference is what the dev wants ?
* Is there is anyway to choose how I can protected my exported
secret key ?
* Does I miss something ?
I will be glad to provide more information on my setup / problem if needed.
Thanks !
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160305/c34071ef/attachment.sig>
More information about the Gnupg-devel
mailing list