no password needed to export secret-keys?

Sam Smith smickson at hotmail.com
Mon Jun 4 17:57:02 CEST 2012







No, the exported file is NOT protected by the passphrase.

If I export the key. And then delete my secret key from my keyring. And now Import what I exported, I am not asked for a password before the  import is allowed to complete. That is, Anyone who gains access to my machine can export my secret key (no password required), take the product of the export to whatever computer they want and then import it (no password required).

I do not see where the security lies. Thanks for the help.

> From: mailinglisten at hauke-laging.de
> To: gnupg-users at gnupg.org
> CC: smickson at hotmail.com
> Subject: Re: no password needed to export secret-keys?
> Date: Mon, 4 Jun 2012 17:22:05 +0200
> 
> Am Mo 04.06.2012, 10:27:00 schrieb Sam Smith:
> 
> > When I use the command: gpg --armor --output <document name>
> > --export-secret-keys <KeyID>
> > 
> > shouldn't I be asked for the secret key's password before Export is allowed
> > to complete? I've tried this on both Windows 7 and Ubuntu Linux and I'm
> > never asked for a password. This doesn't seem secure to me. I would think
> > that Export should not be allowed to occur until after the key's password
> > is provided. Do I have something mis-configured? Can you explain how this
> > is secure?
> 
> The exported file is protected by the passphrase. That is similar to copying 
> the secring.
> 
> If you want the exported file to have a different passphrase then you have to 
> (make a backup of the secring and then) change the passphrase (--edit-key), 
> export the secret key afterwards and then either change the passphrase back or 
> overwrite the secring with the backup.
> 
> 
> Hauke
> -- 
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120604/86d5afd7/attachment.htm>


More information about the Gnupg-users mailing list