On Mon, 21 Dec 2020 18:47, Novak Boškov said: > So, the two subsequent exports are supposed to give me my private key > encrypted with two different AES keys (same passphrase + a different salt)?
Right: First packet of the first export: # off=0 ctb=95 tag=5 hlen=3 plen=1414 :secret key packet: version 4, algo 1, created 1568715099, expires 0 pkey[0]: [3072 bits] pkey[1]: [17 bits] iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: E28C8328510DEDC0 protect count: 30408704 (237) protect IV: 6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56 skey[2]: [v4 protected] keyid: F29010625F3EDDDA First packet of the second export: # off=0 ctb=95 tag=5 hlen=3 plen=1414 :secret key packet: version 4, algo 1, created 1568715099, expires 0 pkey[0]: [3072 bits] pkey[1]: [17 bits] iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 24725FA6DAA0883C protect count: 30408704 (237) protect IV: f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23 skey[2]: [v4 protected] keyid: F29010625F3EDDDA You see that the salt and the IV are both different. The protection count is the same because this is a constant computed by gpg-agent at startup my measuring the speed of the KDF. The actual encrypted key data (not shown) is also different. > How does transferring the keys to a different machine is supposed to > work then? box1$ gpg --export-secret-key FINGERPRINT >key.sec box2$ gpg --import key.sec You need to enter the passphrase during export. For import the re-encryption is delayed until the key is used and thus you won't need a passphrase immediately. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users