manipulating the set of keys that can decrypt a file/message

Nicolas Boullis nboullis at
Thu Mar 4 22:34:04 CET 2010


Some time ago, I decided to revoke my old ElGamal encryption key and 
replace it with a new RSA one, that I keep stored on a smartcard. (The 
goal is to be ale to decrypt some messages/files with my laptop, but not 
have my keys compromised if it gets lost/stolen.)

The trouble is that I have a bunch of old messages/files, encrypted fr 
my old ElGamal key: I can't decrypt them on my laptop usig my smartcard.

So now, on a machine that has my old ElGamal secret key, I'd like to 
modify those messages/files to make it possible to decrypt them using my 
new RSA key.

I don't like the naive solution "gpg --decrypt | gpg --encrypt" because:
 - I would lose the signatures of messages/files that are both encrypted 
   and signed,
 - it requires to decrypt/encrypt the whole data whie it should be 
   sufficient to decrypt/encrypt the session key.

Reading RFC 4880 (OpenPGP standard), if I am able to decrypt the session 
key, it should be possible to create a new Public-Key Encrypted Session 
Key packet to allow a new key to decrypt the file/message. Removing a 
Public-Key Encrypted Session Key should also be trivial.

Does gnupg allow such manipulations?
Or does anyone have suggestions how I should implement this? Libraries 
to use?

I imagine such manipulations might also be interesting for things like 
encryped mailing-lists...


Nicolas Boullis,
happy gnupg user for more than 8 years
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 315 bytes
Desc: Digital signature
URL: </pipermail/attachments/20100304/5e946190/attachment.pgp>

More information about the Gnupg-users mailing list