How to protect private keys?

Sven Radde sven at
Fri Apr 13 09:13:25 CEST 2007


Moses schrieb:
> How to better protect private keys of GPG users?
Apart from the *very* good point of Robert, your ürivate key is still
protected by its passphrase after you run "gpg --export-secret-key". It
therefore cannot be used by someone who does not know the passphrase
(however, when someone is able to run commands under your user account,
installing a keyboard sniffer should not be too difficult).

The export only gives an attacker convenient access to the key file. But
if he can run gpg commands, he could just copy your secring.gpg anyway,
so he already has access to the secret key. Asking for a passphrase to
export the key would not change anything.
In fact, if you do not intentionally share your user account on your
machine, accessing the secret keyring file itself might be achieved far
easier (i.e. via insecure file permissions on ~/.gnupg) than running
GnuPG commands under your user account.

So, make sure that nobody except you can execute "gpg
--export-secret-key" (on your keyrings) in the first place... :-)

cu, Sven

More information about the Gnupg-users mailing list