Does GPG Ever Store RSA Secret Keys On The Disk In Plain?

Werner Koch wk at gnupg.org
Tue Dec 22 07:46:12 CET 2020 

On Mon, 21 Dec 2020 18:47, Novak Boškov said:

> So, the two subsequent exports are supposed to give me my private key
> encrypted with two different AES keys (same passphrase + a different salt)?

Right:

First packet of the first export:

# off=0 ctb=95 tag=5 hlen=3 plen=1414
:secret key packet:
        version 4, algo 1, created 1568715099, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: E28C8328510DEDC0
        protect count: 30408704 (237)
        protect IV:  6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56
        skey[2]: [v4 protected]
        keyid: F29010625F3EDDDA

First packet of the second export:

# off=0 ctb=95 tag=5 hlen=3 plen=1414
:secret key packet:
        version 4, algo 1, created 1568715099, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 24725FA6DAA0883C
        protect count: 30408704 (237)
        protect IV:  f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23
        skey[2]: [v4 protected]
        keyid: F29010625F3EDDDA

You see that the salt and the IV are both different.  The protection
count is the same because this is a constant computed by gpg-agent at
startup my measuring the speed of the KDF.  The actual encrypted key
data (not shown) is also different.

> How does transferring the keys to a different machine is supposed to
> work then?

 box1$ gpg --export-secret-key FINGERPRINT >key.sec

 box2$ gpg --import key.sec

You need to enter the passphrase during export.  For import the
re-encryption is delayed until the key is used and thus you won't need a
passphrase immediately.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201222/db727ca3/attachment.sig>

More information about the Gnupg-users mailing list