Does GPG Ever Store RSA Secret Keys On The Disk In Plain?
Werner Koch
wk at gnupg.org
Sat Dec 19 18:36:25 CET 2020
On Fri, 18 Dec 2020 12:54, Annie Yousar said:
> The key is not encrypted with the passphrase, but with a secret key
> derived (by S2K) from the passphrase with the help of a
> salt. Therefore each export gives different export data, despite using
> the same passphrase.
That is because GnuPG internally stores the secret key in a different
format than what is specified for the OpenPGP secret key exchange
format. Thus in general we need to re-encrypt the secret key for export
and thus a fresh salt is used.
Also not yet officially specified, it is also okay to export the
internal format (those <40hexdigits>.key files). This is often useful
if an encryption subkey needs to be shared between members of a team
(role accounts etc.)
Please take care if planning this because those key files may contain
meta data (e.g. a description of the key) and the passphrase is not as
strong as usual OpenPGP encryption. Thus convey only over a secure
channel (i.e. with an additional encryption and authentication layer).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201219/e44a5d17/attachment-0001.sig>
More information about the Gnupg-users
mailing list