Silent re-encryption of private keys by gpg-agent: expected behaviour?

Baptiste Jonglez baptiste at
Sun Aug 23 23:42:06 CEST 2015


I spent quite some time wondering why, a few days ago, one of my private
keys had suddenly changed.  More precisely, the file holding the private
key (~/.gnupg/private-keys-v1.d/${keygrip}.key) had changed, without any
obvious reason.  Note that I am using gnupg 2.1.6, so this is the new
private key format.

After some investigation with a backup, it looks like the change is merely
a re-encryption of the private key using a different algorithm.  I am not
familiar with the private key format, but it looks like bencoded data.
The old file exhibits the following string:


while the modified file contains instead:


Besides this, lots of binary data has changed in the file.

This is an old subkey, created in 2010 and revoked in 2013, which got
converted to the new gpg-agent format in late 2014, when I started using
gnupg 2.1.0.

My theory is that, a few days ago, I have been reading an old email,
encrypted towards this old subkey.  Upon using the private key, gpg-agent
might have realised that the encryption algorithm of the private key is
weak, and decided to silently re-encrypt the key using a newer algorithm.
If this theory holds, then this behaviour was probably introduced between
gnupg 2.1.0 and 2.1.6, because gnupg 2.1.0 converted the old key to the
new gpg-agent format using the "weak" encryption algorithm.

Still, I am not very comfortable about a private key getting suddenly
modified.  Is this the expected behaviour?  I couldn't find any hint about
private key re-encryption in the release notes or in the various man

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20150823/a4d9ec1a/attachment.sig>

More information about the Gnupg-users mailing list