Exporting secret keys does not honor s2k* options on gnupg-modern

Quentin Bourgeois quentin at bourgeois.eu
Sat Mar 5 01:02:38 CET 2016 

Hi,

After playing with two different versions of gnupg I can't
understand why I have different results while exporting secret key.

Used version:
  * GnuPG "modern" (2.1.11): from gnupg.org, archlinux package or debian sid
  packages
  * GnuPG "stable" (2.0.26): from debian jessie packages 

While on the stable version exporting a secret key will use the s2k
variable from the gpg.conf file in order to encrypt the data, this is
not done on the modern version.

  * An example, my gpg.conf file contains at least the following

s2k-cipher-algo AES256
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712 

  * On the stable, after exporting a secret key the used algorithms
    are AES256 and SHA512

gpg-stable$ gpg2 --output key_stable.asc --export-secret-key 0xA705288CC4B10159
gpg-stable$ gpg2 --list-packets key_stable.asc
:secret key packet:
        [...]
        iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: c8fb14ee7e02109d
        [...]

  * Whereas on the modern, the exported key only used the AES128
    regardless my configuration

gpg-modern$ ./g10/gpg2 --output key_modern.asc --export-secret-keys 0x0A07DCA573AC5B12
gpg-modern$ ./g10/gpg2 --list-packets key_modern.asc
:secret key packet:
        [...]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 893E1125967FBDAC
        [...]

Note that i modify the key before exporting it.

After looking some code of the of gnupg 2.11.1 the following line from
g10/export.c:995 could explain

/* Prepare a cipher context.  */
err = gcry_cipher_open (&cipherhd, GCRY_CIPHER_AES128,
                        GCRY_CIPHER_MODE_AESWRAP, 0);

My questions:
  * Does having this difference is what the dev wants ?
  * Is there is anyway to choose how I can protected my exported
  secret key ?
  * Does I miss something ?

I will be glad to provide more information on my setup / problem if needed.

Thanks !
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160305/c34071ef/attachment.sig>

More information about the Gnupg-devel mailing list