Changing passphrase parameters (s2k options)

John Lane gnupg at
Mon Jan 23 14:08:19 CET 2017

On 23/01/17 12:34, Peter Lebbing wrote:
> On 23/01/17 12:54, John Lane wrote:
>> Ok, so - if I understand you correctly - when I *export* the secret key
>> I can choose which algorithms are applied to the exported copy ?
> No, I meant that the bug report (turned feature request) is about
> choosing the options for export. As long as the bug is open, it's not
> possible to change it for export either.
ah, ok.

> However, in your initial mail you said:
>> When I tried to experiment with the `--s2k` options, attempting to
>> change the passphrase on my key, I found that they were ignored.
>>From "chang[ing] the passphrase" I inferred you were talking about how
> the key is stored in the keyring, not about exporting the secret key.
> What are you trying to do? Change the encryption on an exported private
> key or changing the encryption of the private key store of GnuPG?

I started out trying to change the encryption of the key in the keyring
(because that is how I understood it to work) so that I could export a
copy of the key protected with better encryption. I did not appreciate
the implications of the difference brought about by 2.x wrt private key
storage (but was aware of it).

I then read your email and thought, "great! the options are applied
during the export.", and went off to try that but discovered quickly
(and as you have clarified) that it doesn't work that way.

I was going to pose a follow-up question, which is now moot, about
controlling how the encryption within the agent keyring is done. But I
was going to go away and do my own research first.

> (FWIW, I don't think you can currently do either. Possibly you can
> change the s2k-count via the agent protocol, but that might not pertain
> to the private key store, I just don't know).

So, I guess, to summarise... until issue 1800 is addressed there is no
way to change the encryption of an existing secret key?

FWIW I started looking at this because I was researching keybase and its
storage of private keys. Whilst I have not stored my private key on any
host I don't control, I was curious to understand how it could be done
securely by understanding how private keys are protected and how that
can be enhanced should there be desire to externally them.


More information about the Gnupg-users mailing list