Why gpg 2.1.9 cannot export secret key without passphrase?

Peter Lebbing peter at digitalbrains.com
Mon Nov 30 20:53:29 CET 2015


On 30/11/15 20:10, Andrey Utkin wrote:
> Is it impossible straight from RFC 4880 in any defined mode, or is
> it just a wrong behaviour in GnuPG/Libgcrypt?

It is a specific bug of GnuPG 2.1, and Werner's comment on the bug entry
mentioned here makes me believe he intends to fix it eventually.

GnuPG 1.4 and 2.0 can export keys without passphrases, and this is fully
defined in RFC 4880.

> Empty passphrases are banned in several places in this software:

Yes; that's because there is a difference between not encrypting stuff
and encrypting it with an empty passphrase :). The latter is just silly.
The only purpose of doing that is to be able to tell your client that
you "encrypted it" without technically lying. And I'm not making stuff
up. This actually happens (I'm looking at you, DropBox!).

When a private key is stored without a passphrase, it is stored without
encryption. The actual packet looks different: it clearly indicates that
what follows is plaintext. If you were to encrypt it with an empty
passphrase, it would actually be encrypted, but with a key that
corresponds to an empty passphrase and hence would be trivially cracked
by anyone.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list