Silent re-encryption of private keys by gpg-agent: expected behaviour?

Werner Koch wk at
Mon Aug 24 09:42:17 CEST 2015

On Sun, 23 Aug 2015 23:42, baptiste at said:

> keys had suddenly changed.  More precisely, the file holding the private
> key (~/.gnupg/private-keys-v1.d/${keygrip}.key) had changed, without any
> obvious reason.  Note that I am using gnupg 2.1.6, so this is the new
> private key format.

The 2.1 migration process takes the keys from secring.gpg and stores
them in private-keys-v1.d.  Now, that format is different (it exists
since the introduction of GnuPG 2.0 but was only used for X.509 keys)
and thus it would required a re-encryption of the key.  Obviously this
requires the passphrase.  Now if you have several private keys you would
be asked for a passphrase for each key - this is not a good idea for a
key migration process which should run unattended.

Thus the key is stored in a temporary format until you use it the first
time - then the passphrase is required anyway and gpg=agent can convert
the key to the new format.

Details of the format can be found in  gnupg/agent/keyformat.txt.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list