Does GPG Ever Store RSA Secret Keys On The Disk In Plain?

Werner Koch wk at gnupg.org
Sat Dec 19 18:36:25 CET 2020


On Fri, 18 Dec 2020 12:54, Annie Yousar said:

> The key is not encrypted with the passphrase, but with a secret key
> derived (by S2K) from the passphrase with the help of a
> salt. Therefore each export gives different export data, despite using
> the same passphrase.

That is because GnuPG internally stores the secret key in a different
format than what is specified for the OpenPGP secret key exchange
format.  Thus in general we need to re-encrypt the secret key for export
and thus a fresh salt is used.

Also not yet officially specified, it is also okay to export the
internal format (those <40hexdigits>.key files).  This is often useful
if an encryption subkey needs to be shared between members of a team
(role accounts etc.)

Please take care if planning this because those key files may contain
meta data (e.g. a description of the key) and the passphrase is not as
strong as usual OpenPGP encryption.  Thus convey only over a secure
channel (i.e. with an additional encryption and authentication layer).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201219/e44a5d17/attachment-0001.sig>


More information about the Gnupg-users mailing list