Why gpg 2.1.9 cannot export secret key without passphrase?

Guilhem Moulin guilhem at fripost.org
Fri Nov 27 12:05:36 CET 2015


On Fri, 27 Nov 2015 at 12:39:30 +0300, Dmitrii Tcvetkov wrote:
> In this case passphrase is needed to decrypt private key from keyring.
> Becuase of passphrase is not provided gpg-agent can't give gpg the
> private key. 

Or perhaps Andrey tries to export an *unprotected* private key using
GnuPG 2.1.  In that case this seems to be a known issue [0].

> Private key exports in cleartext.

I think this is incorrect.  gpg --export's output is always in the
OpenPGP format (possibly armored), while as of 2.1 private material is
stored in another format (in ~/.gnupg/private-keys-v1.d/$KEYGRIP.key).
Thus the agent asks for the passphrase to decrypt the private key, and
gpg reencrypts it on the fly (using the same passphrase).  gpg2(1) also
says:

  --export-secret-keys

      GnuPG may ask you to enter the passphrase for the key.  This is
      required because the internal protection method of the secret key is
      different from the one specified by the OpenPGP protocol.

Indeed ‘gpg2 --export-secret-keys $KEYID | gpg --list-only --list-packets’
tells me that the secret material is protected.

-- 
Guilhem.

[0] https://bugs.gnupg.org/gnupg/issue2070
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20151127/78044839/attachment.sig>


More information about the Gnupg-users mailing list