On 2020-12-16 at 14:47 -0500, Novak Boškov wrote: > Hell everyone, > > On this link is the following statement: > > To help safeguard your key, GnuPG does not store your raw private > > key on disk. Instead it encrypts it using a symmetric encryption > > algorithm. > However, I'm not entirely clear on what happens when I do: > > gpg --export-secret-keys --armor <key_id> > Is the secret key block that appears on STDOUT my plain secret key > or is it its encrypted version?
It is encrypted with your passphrase. You (or an attacker) will need the passphrase in order to use that exported secret key. Except if the secret key wasn't protected with a passphrase, in which case the exported key isn't, either. You can verify yourself if the key is protected or not by feeding it to gpg --list-packets. A key protected with a passphrase will have a packet similar to this: :secret sub key packet: version 4, algo 1, created 1608251624, expires 0 pkey[0]: [1024 bits] pkey[1]: [17 bits] iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 1546427246151681 protect count: 32505856 (239) protect IV: eb f7 79 f8 0c cc b8 a6 e7 e4 88 c1 7b a8 0f e4 skey[2]: [v4 protected] keyid: <key id> whereas if it didn't have a passphrase, you would see a simpler packet with the data directly available: :secret sub key packet: version 4, algo 1, created 1608251706, expires 0 pkey[0]: [1024 bits] pkey[1]: [17 bits] skey[2]: [1023 bits] skey[3]: [512 bits] skey[4]: [512 bits] skey[5]: [511 bits] checksum: 9f84 keyid: <key id> The confusion probably comes because it requests the passphrase before exporting. This didn't use to be the case (it just copied the protected key file), but the way gpg-agent is dealing with the private key, it now needs the passphrase to decrypt it, and then it is encrypted again with the same passphrase before being output. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users