Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exported secrete keys encrypted? #195

Closed
rudolph9 opened this issue Jun 23, 2020 · 3 comments
Closed

exported secrete keys encrypted? #195

rudolph9 opened this issue Jun 23, 2020 · 3 comments

Comments

@rudolph9
Copy link

In the Export Secrete Keys of the README it states:

The master key and sub-keys will be encrypted with your passphrase when exported.

However I see no indication in the GPG man page that this is the case?

   --export-secret-keys
   --export-secret-subkeys
          Same as --export, but exports the secret keys instead.  The exported keys are written to STDOUT or to  the  file  given  with  option
          --output.   This  command is often used along with the option --armor to allow for easy printing of the key for paper backup; however
          the external tool paperkey does a better job of creating backups on paper.  Note that exporting a secret key can be a  security  risk
          if the exported keys are sent over an insecure channel.

          The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension
          to OpenPGP and other implementations can not be expected to successfully import such a key.  Its intended use is in generating a full
          key  with an additional signing subkey on a dedicated machine.  This command then exports the key without the primary key to the main
          machine.

          GnuPG may ask you to enter the passphrase for the key.  This is required, because the internal protection method of the secret key is
          different from the one specified by the OpenPGP protocol.

I know I could export and import the keys to verify weather this is the case but the who process is pretty confusing and I it's difficult to recover from mistakes so any feedback will be greatly appreciated!
@rudolph9
Copy link
Author

There is a comment in the papercopy "Security" section that support the claim that exported keys are encrypted with the passphrase:

If your key has a passphrase on it (i.e. is encrypted), the paper copy is similarly encrypted. If your key has no passphrase, neither does the paper copy. Whatever the passphrase (or lack thereof) was on the original secret key will be the same on the reconstructed key.

@drduh
Copy link
Owner

drduh commented Aug 22, 2020

My assumption is keys are encrypted symmetrically if a password is required to import them. If anyone has evidence to the contrary, please reopen and enlighten us.

@drduh drduh closed this as completed Aug 22, 2020
@rudolph9
Copy link
Author

@drduh The keys are indeed encrypted symmetrically. Did some testing but forgot to follow up on this ticket. Keep it closed 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rudolph9 @drduh