Does GPG Ever Store RSA Secret Keys On The Disk In Plain?

Novak Boškov boskov at bu.edu
Tue Dec 22 19:32:21 CET 2020


>  box1$ gpg --export-secret-key FINGERPRINT >key.sec
>
>  box2$ gpg --import key.sec
OK, I see why this works. Because the salt, IV and protect count are all
stored in plain alongside the encrypted version of the secret key.

However, my secret key packets do not have that `iter+salt`, `protect
count` and `protect IV` parts. They have the plain `skey` parts. That
may be the reason why my subsequent exports are byte-equal.

Now, the issue that I have is that `gpg --passwd <key_id>` says that my
key is protected by a passphrase. It asks for the current passphrase
before it lets me type in the new one. How can it be that `gpg --passwd
<key_id>` asks for the passphrase if `gpg --list-packets <key_id>` does
not have the `iter+salt` part? In other words, is <key_id> protected by
a passphrase or not?

On 12/22/20 1:46 AM, Werner Koch wrote:
> On Mon, 21 Dec 2020 18:47, Novak Boškov said:
>
>> So, the two subsequent exports are supposed to give me my private key
>> encrypted with two different AES keys (same passphrase + a different salt)?
> Right:
>
> First packet of the first export:
>
> # off=0 ctb=95 tag=5 hlen=3 plen=1414
> :secret key packet:
>         version 4, algo 1, created 1568715099, expires 0
>         pkey[0]: [3072 bits]
>         pkey[1]: [17 bits]
>         iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: E28C8328510DEDC0
>         protect count: 30408704 (237)
>         protect IV:  6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56
>         skey[2]: [v4 protected]
>         keyid: F29010625F3EDDDA
>
> First packet of the second export:
>
> # off=0 ctb=95 tag=5 hlen=3 plen=1414
> :secret key packet:
>         version 4, algo 1, created 1568715099, expires 0
>         pkey[0]: [3072 bits]
>         pkey[1]: [17 bits]
>         iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 24725FA6DAA0883C
>         protect count: 30408704 (237)
>         protect IV:  f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23
>         skey[2]: [v4 protected]
>         keyid: F29010625F3EDDDA
>
> You see that the salt and the IV are both different.  The protection
> count is the same because this is a constant computed by gpg-agent at
> startup my measuring the speed of the KDF.  The actual encrypted key
> data (not shown) is also different.
>
>> How does transferring the keys to a different machine is supposed to
>> work then?
>  box1$ gpg --export-secret-key FINGERPRINT >key.sec
>
>  box2$ gpg --import key.sec
>
> You need to enter the passphrase during export.  For import the
> re-encryption is delayed until the key is used and thus you won't need a
> passphrase immediately.
>
>
> Shalom-Salam,
>
>    Werner
>
-- 
    Novak Boškov
    /PhD Student/
    /Electrical & Computer Engineering Department/
    /Boston University/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201222/4163630f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB8D4C9837C741FBD.asc
Type: application/pgp-keys
Size: 2448 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201222/4163630f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201222/4163630f/attachment.sig>


More information about the Gnupg-users mailing list