no password needed to export secret-keys?

Sam Smith smickson at hotmail.com
Mon Jun 4 18:14:31 CEST 2012 

Okay. So being able to export without password is by design then. I don't have anything misconfigured.

This makes it a trivial task to steal someone's secret key. All that's needed is access to the machine for a few seconds when no one is looking. 

I am not technically know-how enough to configure SELinux or app-armor. Does this mean there is no way to safeguard the Secret Key, other than the obvious of not letting anyone use my user-account? or is there any security measures that you guys use to protect secret key from being exported by someone else?


> From: mailinglisten at hauke-laging.de
> To: gnupg-users at gnupg.org
> CC: smickson at hotmail.com
> Subject: Re: no password needed to export secret-keys?
> Date: Mon, 4 Jun 2012 18:06:08 +0200
> 
> Am Mo 04.06.2012, 11:56:22 schrieb Sam Smith:
> 
> Please take care that you reply to the list.
> 
> > No, the exported file is NOT protected by the passphrase.
> > 
> > If I export the key. And then delete my secret key from my keyring. And now
> > Import what I exported, I am not asked for a password before the  import is
> > allowed to complete. That is, Anyone who gains access to my machine can
> > export my secret key (no password required), take the product of the export
> > to whatever computer they want and then import it (no password required).
> 
> You obviously have a completely wrong idea what a passphrase is used for.
> 
> A passphrase is (if used) needed for crypto operations which need the private 
> key (the numbers). The passphrase just encrypts the key material, not the 
> whole exported file. Importing and exporting are not crypto operations.
> 
> If you want to prevent others from importing or exporting keys then prevent 
> them from accessing the files (a very common IT task that is not related to 
> GnuPG).
> 
> 
> Hauke
> -- 
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120604/d84c8618/attachment-0001.htm>

More information about the Gnupg-users mailing list