On Mon, Jun 04, 2012 at 11:57:02AM -0400 Also sprach Sam Smith: > No, the exported file is NOT protected by the passphrase. > > If I export the key. And then delete my secret key from my keyring. > And now Import what I exported, I am not asked for a password before > the import is allowed to complete. That is, Anyone who gains access > to my machine can export my secret key (no password required), take > the product of the export to whatever computer they want and then > import it (no password required). > > I do not see where the security lies. Thanks for the help. >
The security lies in the fact that the key you are exporting and importing is itself encrypted. It is encrypted where it resides on your keychain, it is encrypted in the file you export, and it is still encrypted when you import it into another keychain. Adding a password requirement to --export-secret-keys would add a very marginal degree of security, because, as has been noted, anyone with access to your user account on the computer which hosts your keychain (i.e. someone who could presumably run gpg --export-secret-keys on your keychain) could just as easily cp the whole darn keychain; they STILL would not be able to use your key to sign or decrypt without knowing the passphrase of the key. The export command really just provides you with a convenient method of copying a specific key or keys from your keychain, instead of the whole thing. It is almost impossible (or at least not practical) to prevent someone with physical access to your computer from exporting or copying key data which is stored on your hard disk, so the key is always stored in encrypted form, so that even if it is copied, it cannot be used sans passphrase. If you are truly concerned about preventing the possibility that even your encrypted private keys may be copied, consider a solution such as the OpenPGP card, from which it is practically infeasible to export the keys at all. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
