Keypair created with gpg 1.0.7

Charly Avital
Tue May 28 21:51:01 2002

Thanks for your feedback.

Although I have complete control, including physical security, over the
computers involved, I choose not to enable simple-sk-checksum as an option.

I opted for the secure way you suggested.
The Terminal's output was the two identical lines:
gpg:generating the deprecated 16-bit checksum for secret key protection
gpg:generating the deprecated 16-bit checksum for secret key protection

I also tried the blank password method.

In both cases, I immediately restored the passphrase, after exporting the

Nevertheless, the exported key, first with the "deprecated 16-bit checksum,
and then with a blank passphrase, was not accepted.

The same thing happened, PGP quit, Eudora quit (depending on which method I
tried to use to import the secret key).

I have taken care to delete/wipe the secret key block in the exporting and
importing computers, as well as wiping free disk space.

Thanks again for your input. If you have other suggestions, I shall
appreciate them.


At 11:51 AM -0700 5/28/02, Leigh S. Jones wrote:
>This question sounds like it could be about the
>--simple-sk-checksum option.
>For improved security, gpg has a new database
>storage format for the secret key.  Exported keys use
>the new format, which is incompatible with older gpg
>versions as well as with PGP.  To make your exported
>keys PGP compatible, you need to store the keys in
>the database with the --simple-sk-checksum option
>enabled.  You could put the simple-sk-checksum into
>your options file if you are working on a computer
>that you have complete control over including physical
>The secure way to work with this is to:
>1) gpg --simple-sk-checksum --edit-key [keyID]
>Command> passwd
>Re-enter your password without changing it.
>Command> save
>2) Export the key.
>3) Edit and re-enter your password again, this
>time without the --simple-sk-checksum option.
>This puts you back into high security mode.
>Treat the exported secret keys carefully and don't
>allow them to be compromised.  Some people
>prefer to change the password to a blank.  Then they
>don't need to use the --simple-sk-checksum option.
>I think this is a real security problem.