no password needed to export secret-keys?

David Shaw dshaw at jabberwocky.com
Mon Jun 4 17:26:31 CEST 2012


On Jun 4, 2012, at 10:27 AM, Sam Smith wrote:

> 
> Hi.
> 
> When I use the command: gpg --armor --output <document name> --export-secret-keys <KeyID>
> 
> shouldn't I be asked for the secret key's password before Export is allowed to complete? I've tried this on both Windows 7 and Ubuntu Linux and I'm never asked for a password. This doesn't seem secure to me. I would think that Export should not be allowed to occur until after the key's password is provided. Do I have something mis-configured? Can you explain how this is secure? 

The secret key is encrypted via your passphrase, so it is safe to export.  GPG is just copying some bytes from a file on disk, and you could copy the whole file yourself via 'cp' just as easily.

Still, you can do things with SELinux to prevent any process from reading the secret key file except GPG, and in that case, it might be reasonable to request a passphrase before exporting the key.

David




More information about the Gnupg-users mailing list