Older gpg version does not ask for passphrase
Peter Lebbing
peter at digitalbrains.com
Wed Jun 8 13:08:02 CEST 2016
Hello,
On 06/06/16 20:09, Matthias Nick wrote:
> On my laptop, running Arch Linux with gpg (GnuPG) 2.1.12 and libgcrypt
> 1.7.0, I am always asked for the passphrase.
>
> Same thing happens on a Debian testing machine running gpg (GnuPG)
> 2.1.11 and libgcrypt 1.7.0-beta.
>
> On that same machine, when I use gpg instead of gpg2 (gpg (GnuPG)
> 1.4.20) with the exact same command, the file is decrypted without
> entering a passphrase.
>
> On a machine running Debian stable (gpg (GnuPG) 2.0.26 and libgcrypt
> 1.6.3), the file is also decrypted without a passphrase.
>
> Lastly, my Android phone running OpenKeychaingn 3.9.5 does not ask for a
> passphrase either.
GnuPG 2.1 uses a new storage mechanism for your private keys. And 1.4
and 2.0 use the same "old" mechanism. From the way you sum it up, here's
what I suspect might be wrong: you simply have no passphrase set on
those systems that use the "old" storage. You might have exported your
private key without a passphrase once, and used this unprotected copy to
import the key elsewhere. When the key is stored without a passphrase,
you won't be asked for one, and anybody with access to the files where
the key is stored can simply copy the file and use your key, without a
passphrase.
If this is the problem, a way to fix it is to invoke:
$ gpg --edit-key YOURKEYID
[...]
> passwd
[... prompted for the new passphrase ...]
> save
If after that you are once again prompted for the passphrase (at least
once after starting the computer, since the agent might be caching it
after you've entered it once), then this was probably the issue. You
have solved it for the future on that computer. You can then repeat this
process on the others.
HOWEVER: keys stored without a passphrase are vulnerable to being
copied. If you suspect someone, for instance, has access to a backup
containing this key, you need to consider whether you should revoke the
key. I can't make this assessment for you, it's your decision. If the
key was stored without a passphrase, anybody with access to the files in
your GnuPG homedir can take your key and use it as they wish. Somebody
could have made a copy of it before you fixed the problem.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list