Security of the gpg private keyring?
dshaw at jabberwocky.com
Mon Feb 28 15:09:35 CET 2011
On Feb 28, 2011, at 6:47 AM, Guy Halford-Thompson wrote:
> Assuming I have password protected secret keys, can I assume that the
> gpg private keyring is secure? I.e., if my private keyring was to
> fall into malicious hands, would the aforesaid hands be able to
> extract any useful information from my password protected keys?
> I am not taking about super-hackers cracking the keys here here...
> just things like metadata associated with the keys... email addresses,
> who has signed them, expiry date etc...
You can do quite a lot with stuff like this. Who signed who can tell you who this person has met, and often where. If you see a bunch of signatures around a particular date, look for a keysigning party on that date - now you have evidence they were there. Email addresses can reveal an enormous amount of information about a person. Robert and I did an experiment a few months ago where starting only from his public key, I was easily able to find out real-world addresses, parents names, siblings, etc.
However, all of this information is available in the *public* key as well. There is no need for an attacker to get this from your secret key when he can just get it from a handy keyserver.
Assuming you have a good passphrase on your secret key, the attacker can't get into it any more than he could get into a message you send.
More information about the Gnupg-users