-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doubt: Decrypting PGP private key's password! #1401
Comments
the password is not encrypted, the pgp key is. The password is one part in the process of generating different secrets for the en-/decryption. The Algorithm used is a development named TripleSec which in fact is three different ciphers on top of each other (AES, Twofish and Salsa20). |
@dtiersch Thanks! It was a typo. I will read about it! Is it done client-side or on the webserver? |
They do it client-side. That's why they wrote kbpgp - an implemenation of PGP in JavaScript, so that they can do everything on the client and the server never needs to see anything unencrypted. |
@dtiersch pretty much summed it up. Code for KBPGP: https://github.com/keybase/kbpgp If you choose to store your encrypted private key on Keybase's servers, it is encrypted with your passphrase, using triplesec. Triplesec does extensive passphrase stretching, to make brute force/dictionary attacks very expensive, and it uses all 3 of those ciphers for fear that someday one of them will be weakened/broken. I think ti's also worth noting that, since your key is encrypted with your passphrase, Keybase never gets to know your passphrase. For this reason, the login model on Keybase doesn't follow the traditional pack it up and send it over https. Instead, logging in uses these 2 calls: https://keybase.io/docs/api/1.0/call/getsalt which is how you prove you know your passphrase without ever sending it to Keybase. As a last point, you're making 2 big decisions when storing your private key on Keybase:
I assume I've answered everything but feel free to reopen if not. |
Hello,
How is decryption of PGP password done? I currently don't like to store encrpyted private key online. After thinking about it, it would be helpful when traveling to use with secure connection. Before doing it, I would like to know how decryption is done. Thanks in advance!
Kindly,
Muhammed Zakir
The text was updated successfully, but these errors were encountered: