new helper program for configuration import / export

Peter Lebbing peter at digitalbrains.com
Sun Oct 19 21:10:20 CEST 2014 

On 19/10/14 15:32, Hauke Laging wrote:
> I am quite sure that this is the opposite of easier. Why?
> 
> a) Because you have to change the passphrase of each secret key.
> 
> b) Because you have to change them back after exporting.

It is clear you are not working on the same assumption as I did: that
there were already good passphrases on the keys, because this is simply
good practice, and that the extra thing was just to prevent accidents by
making people think for a moment. Like you pat your pocket before you
close your front door, to make sure you have your keys in your pocket.

Have you thought of a way to only have to enter a password once and use
that for each (sub)key you wish to change, without keeping it in
swap-eligible memory? Or am I still not comprehending what it is you
want to do? Perhaps you could elaborate on the procedure you have in mind.

>> Also remeber that the
>> keybox format is different between GnuPG versions (secring.gpg vs.
>> private-keys-v1.d)
> 
> I must admit that I didn't know that. I hardly use 1.4.x.

1.4 and 2.0 as they are now both use secring.gpg, I think. I don't know
in detail which versions use secring.gpg and which use
private-keys-v1.d, and neither do I know how this will be in the future.
And there's the kicker: if you just exclude the harmful files, you pick
up any later additions that don't exist yet but are worth it to backup.
I think it is more likely that things you want to backup are later
added, than that things that you wish to exclude are later added. But
this is an assessment, not knowledge.

> What does that mean? Can 1.4.x and 2.0.x not operate on the same secret 
> key ring? Is it converted automatically (in which direction)? I guess 
> this problem does not affect exporting secret keys.
> 
> Maybe you have a pointer for this problem.

I've forgotten. I think gpgsm already uses private-keys-v1.d and GnuPG
2.1 will be using them for OpenPGP as well. But Werner surely knows
better. I do know that just backing up pubring.gpg and secring.gpg will
soon mean you're not backing up the secret key.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list