Security of the gpg private keyring?

Aaron Toponce aaron.toponce at
Mon Feb 28 14:29:14 CET 2011

On 02/28/2011 04:47 AM, Guy Halford-Thompson wrote:
> Assuming I have password protected secret keys, can I assume that the
> gpg private keyring is secure?  I.e., if my private keyring was to
> fall into malicious hands, would the aforesaid hands be able to
> extract any useful information from my password protected keys?
> I am not taking about super-hackers cracking the keys here here...
> just things like metadata associated with the keys... email addresses,
> who has signed them, expiry date etc...

No. First, all that metadata is in your public key, not your private
key. Second, if your password (should be a "passphrase") is reasonably
secure, and by secure, I mean containing a decent amount of entropy
(like 120-bits), then you can at least sleep at night. No hacker in the
immediate future will be able to use your key until the passphrase is

With that said, if I knew that my private key had fallen into _anyone's_
hands other than my own, I would publish the revocation certificate
immediately, push it to every public keyserver, and make an announcement
of such to all my contacts. I would then go through the actions of
generating a new key, getting new signatures, etc.

. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110228/e0b46f16/attachment-0001.pgp>

More information about the Gnupg-users mailing list