Timeline for gnupg export secret key security concerns
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 21, 2019 at 17:33 | comment | added | JW0914 | @KonstantinRybakov Provided it's encrypted w/ a min of 16char, containing at least two each of lowercase, uppercase, numbers, and symbols, it would guarantee the passphrase will remain uncrackable (it would take the largest known botnet [to date] using GPUs over a thousand years to try 50% of the possible passphrases, assuming a possible 80 different characters [math] could be used). If security is a real concern, export on an air-gapped device, then immediately securely erase the drives 5x - 7x w/ random characters. | |
| Dec 21, 2019 at 17:25 | comment | added | Konstantin Rybakov | @JW0914, Thanks, so they are encrypted by default. I am confused by that sentence from man pages: if the secret key is exported encrypted with good long passphrase, is there any other security risks if the encrypted key is publicly available or "sent over an insecure channe"? | |
| Dec 21, 2019 at 17:18 | comment | added | JW0914 |
@KonstantinRybakov I've exported subkey and master key secret keys before with the secret key staying encrypted (My question was regarding Matteo's comment, as a key can be created without encryption.) This is further explained on StackOverflow here and here, as well as in the GPG man page for --export-secret-keys / --export-secret-subkeys; --export just exports the public keys.
|
|
| Dec 21, 2019 at 17:01 | comment | added | Konstantin Rybakov | passphrase is set when you generate new key and it is not encrypted. It is used to encrypt your secret key and it is not stored anywhere on the machine. | |
| Dec 21, 2019 at 16:59 | comment | added | Konstantin Rybakov | Hm. it asked on mine and verified it. I am using gpg2. Try now signing something with that key. Will it ask for the old passphrase? | |
| Dec 21, 2019 at 16:59 | comment | added | JW0914 | @Matteo Was your key passphrase encrypted prior to the export? | |
| Dec 21, 2019 at 16:58 | comment | added | Matteo | I just tried, exported on one machine, scp to a second machine, imported it. No password prompt. | |
| Dec 21, 2019 at 16:54 | comment | added | Konstantin Rybakov | When you import exported secret key on another machine, which is unaware of that key existence, you are asked for passphrase, which means that the key you are importing is encrypted. If it were raw - another machine would not be able to verify previously set passphrase. | |
| Dec 21, 2019 at 16:45 | comment | added | Matteo | In the documentation there is no mention of encrypting. When you export it, you are asked for the password to decrypt it, but there is no prompt for a transport password. | |
| Dec 21, 2019 at 16:45 | review | Low quality posts | |||
| Dec 21, 2019 at 16:56 | |||||
| Dec 21, 2019 at 16:41 | comment | added | Konstantin Rybakov | Thanks for the response. Is there any documentation that says it is not encrypted? I understood it such passphrase is used to decrypt secret key each time it is used or imported and i works just like pem encrypted private key. | |
| Dec 21, 2019 at 16:27 | history | answered | Matteo | CC BY-SA 4.0 |