no password needed to export secret-keys?
Sam Smith
smickson at hotmail.com
Mon Jun 4 18:14:31 CEST 2012
Okay. So being able to export without password is by design then. I don't have anything misconfigured.
This makes it a trivial task to steal someone's secret key. All that's needed is access to the machine for a few seconds when no one is looking.
I am not technically know-how enough to configure SELinux or app-armor. Does this mean there is no way to safeguard the Secret Key, other than the obvious of not letting anyone use my user-account? or is there any security measures that you guys use to protect secret key from being exported by someone else?
> From: mailinglisten at hauke-laging.de
> To: gnupg-users at gnupg.org
> CC: smickson at hotmail.com
> Subject: Re: no password needed to export secret-keys?
> Date: Mon, 4 Jun 2012 18:06:08 +0200
>
> Am Mo 04.06.2012, 11:56:22 schrieb Sam Smith:
>
> Please take care that you reply to the list.
>
> > No, the exported file is NOT protected by the passphrase.
> >
> > If I export the key. And then delete my secret key from my keyring. And now
> > Import what I exported, I am not asked for a password before the import is
> > allowed to complete. That is, Anyone who gains access to my machine can
> > export my secret key (no password required), take the product of the export
> > to whatever computer they want and then import it (no password required).
>
> You obviously have a completely wrong idea what a passphrase is used for.
>
> A passphrase is (if used) needed for crypto operations which need the private
> key (the numbers). The passphrase just encrypts the key material, not the
> whole exported file. Importing and exporting are not crypto operations.
>
> If you want to prevent others from importing or exporting keys then prevent
> them from accessing the files (a very common IT task that is not related to
> GnuPG).
>
>
> Hauke
> --
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120604/d84c8618/attachment-0001.htm>
More information about the Gnupg-users
mailing list