Silent re-encryption of private keys by gpg-agent: expected behaviour?
Werner Koch
wk at gnupg.org
Mon Aug 24 09:42:17 CEST 2015
On Sun, 23 Aug 2015 23:42, baptiste at bitsofnetworks.org said:
> keys had suddenly changed. More precisely, the file holding the private
> key (~/.gnupg/private-keys-v1.d/${keygrip}.key) had changed, without any
> obvious reason. Note that I am using gnupg 2.1.6, so this is the new
> private key format.
The 2.1 migration process takes the keys from secring.gpg and stores
them in private-keys-v1.d. Now, that format is different (it exists
since the introduction of GnuPG 2.0 but was only used for X.509 keys)
and thus it would required a re-encryption of the key. Obviously this
requires the passphrase. Now if you have several private keys you would
be asked for a passphrase for each key - this is not a good idea for a
key migration process which should run unattended.
Thus the key is stored in a temporary format until you use it the first
time - then the passphrase is required anyway and gpg=agent can convert
the key to the new format.
Details of the format can be found in gnupg/agent/keyformat.txt.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list