On Thu, 20 Sep 2018 15:05, [email protected] said: > When I change the passphrase of an existing 1.x generated key with > gpg 2.2.8, the key gets somehow updated (slow).
So this is not about the key but about the protection of the private key. That protection (teh passphrase) is there as a failsafe mechanism in case the private key is leaked without the machine being compromosed (backup take lost, etc.). We try to achieve that this decryption process takes about 100ms; that value can be changed at build time using the configure option --with-agent-s2k-calibration=MSEC but not at run time. When you change the passphrase of an old key the first time or when you import it to gpg the key is re-encrypted so that it takes that long. In contrast gpg 1.4 uses a fixed value here and does not calibrate it to the actual machine in use. The outcome is that a gpg 1.4 created/ passphrase changes key has a too weak protection in that a dictionary attack can be more easily mounted. It seems that you are doing a lot of operations with that key in a row. gpg-agent's cache will cache the unprotected key so that the 100ms to unprotect the key is only spend once during the caching time to live (10 minutes by default). Make sure tha the cache is enabled by checking the options --max-cache-ttl and default-cache-ttl. Depending on your use case you may want to work without a passphrase (key protection) at all. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpV48ukQ5cw5.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
