Mailing List Archive

Does GPG Ever Store RSA Secret Keys On The Disk In Plain?
Hell everyone,

On this link
<https://www.gnupg.org/gph/en/manual/c481.html#:~:text=To%20help%20safeguard%20your%20key,passphrase%20to%20access%20the%20key.>
is the following statement:

> To help safeguard your key, GnuPG does not store your raw private key
> on disk. Instead it encrypts it using a symmetric encryption algorithm.
However, I'm not entirely clear on what happens when I do:
> gpg --export-secret-keys --armor <key_id>
Is the secret key block that appears on STDOUT my plain secret key or is
it its encrypted version?

Best regards,
Novak
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
On 2020-12-16 at 14:47 -0500, Novak Bo?kov wrote:
> Hell everyone,
>
> On this link is the following statement:
> > To help safeguard your key, GnuPG does not store your raw private
> > key on disk. Instead it encrypts it using a symmetric encryption
> > algorithm.
> However, I'm not entirely clear on what happens when I do:
> > gpg --export-secret-keys --armor <key_id>
> Is the secret key block that appears on STDOUT my plain secret key
> or is it its encrypted version?

It is encrypted with your passphrase. You (or an attacker) will need
the passphrase in order to use that exported secret key.

Except if the secret key wasn't protected with a passphrase, in which
case the exported key isn't, either.

You can verify yourself if the key is protected or not by feeding it to
gpg --list-packets.

A key protected with a passphrase will have a packet similar to this:
:secret sub key packet:
version 4, algo 1, created 1608251624, expires 0
pkey[0]: [1024 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
1546427246151681
protect count: 32505856 (239)
protect IV: eb f7 79 f8 0c cc b8 a6 e7 e4 88 c1 7b a8 0f e4
skey[2]: [v4 protected]
keyid: <key id>


whereas if it didn't have a passphrase, you would see a simpler packet
with the data directly available:
:secret sub key packet:
version 4, algo 1, created 1608251706, expires 0
pkey[0]: [1024 bits]
pkey[1]: [17 bits]
skey[2]: [1023 bits]
skey[3]: [512 bits]
skey[4]: [512 bits]
skey[5]: [511 bits]
checksum: 9f84
keyid: <key id>



The confusion probably comes because it requests the passphrase before
exporting. This didn't use to be the case (it just copied the protected
key file), but the way gpg-agent is dealing with the private key, it
now needs the passphrase to decrypt it, and then it is encrypted again
with the same passphrase before being output.



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
?ngel, your answer is correct, but incomplete.

The key is not encrypted with the passphrase, but with a secret key
derived (by S2K) from the passphrase with the help of a salt. Therefore
each export gives different export data, despite using the same passphrase.

/Ann.

Am 18.12.2020 um 01:43 schrieb ?ngel:
> On 2020-12-16 at 14:47 -0500, Novak Bo?kov wrote:
>> Hell everyone,
>>
>> On this link is the following statement:
>>> To help safeguard your key, GnuPG does not store your raw private
>>> key on disk. Instead it encrypts it using a symmetric encryption
>>> algorithm.
>> However, I'm not entirely clear on what happens when I do:
>>> gpg --export-secret-keys --armor <key_id>
>> Is the secret key block that appears on STDOUT my plain secret key
>> or is it its encrypted version?
> It is encrypted with your passphrase. You (or an attacker) will need
> the passphrase in order to use that exported secret key.
>
> Except if the secret key wasn't protected with a passphrase, in which
> case the exported key isn't, either.
>
> You can verify yourself if the key is protected or not by feeding it to
> gpg --list-packets.
>
> A key protected with a passphrase will have a packet similar to this:
> :secret sub key packet:
> version 4, algo 1, created 1608251624, expires 0
> pkey[0]: [1024 bits]
> pkey[1]: [17 bits]
> iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
> 1546427246151681
> protect count: 32505856 (239)
> protect IV: eb f7 79 f8 0c cc b8 a6 e7 e4 88 c1 7b a8 0f e4
> skey[2]: [v4 protected]
> keyid: <key id>
>
>
> whereas if it didn't have a passphrase, you would see a simpler packet
> with the data directly available:
> :secret sub key packet:
> version 4, algo 1, created 1608251706, expires 0
> pkey[0]: [1024 bits]
> pkey[1]: [17 bits]
> skey[2]: [1023 bits]
> skey[3]: [512 bits]
> skey[4]: [512 bits]
> skey[5]: [511 bits]
> checksum: 9f84
> keyid: <key id>
>
>
>
> The confusion probably comes because it requests the passphrase before
> exporting. This didn't use to be the case (it just copied the protected
> key file), but the way gpg-agent is dealing with the private key, it
> now needs the passphrase to decrypt it, and then it is encrypted again
> with the same passphrase before being output.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
On Fri, 18 Dec 2020 12:54, Annie Yousar said:

> The key is not encrypted with the passphrase, but with a secret key
> derived (by S2K) from the passphrase with the help of a
> salt. Therefore each export gives different export data, despite using
> the same passphrase.

That is because GnuPG internally stores the secret key in a different
format than what is specified for the OpenPGP secret key exchange
format. Thus in general we need to re-encrypt the secret key for export
and thus a fresh salt is used.

Also not yet officially specified, it is also okay to export the
internal format (those <40hexdigits>.key files). This is often useful
if an encryption subkey needs to be shared between members of a team
(role accounts etc.)

Please take care if planning this because those key files may contain
meta data (e.g. a description of the key) and the passphrase is not as
strong as usual OpenPGP encryption. Thus convey only over a secure
channel (i.e. with an additional encryption and authentication layer).


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
Hi Annie,

I am not sure that I follow.

First, it looks like multiple exports _do_ result in the exactly same
export data:

> FIRST=$(gpg --export-secret-keys --armor <my_key_id>)
> SECOND=$(gpg --export-secret-keys --armor <my_key_id>)
> if [ "$FIRST" == "$SECOND" ]; then echo "Outputs are equal"; fi
> Outputs are equal

Which makes perfect sense to me. I would indeed expect my secret key
encrypted with my passphrase to be the same across multiple invocations
of the export command.

If a salt is used, how come that I can take my key that I've gotten
through a `gpg --export-secret-keys --armor ...` call and import it on a
different machine using only my passphrase?

Could you please elaborate a bit more on this or/and provide some useful
resources?

Best regards,
Novak
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
I am not sure that I follow.

First, it looks like multiple exports _do_ result in the exactly same
export data:

> $ FIRST=$(gpg --export-secret-keys --armor <my_key_id>)
> $ SECOND=$(gpg --export-secret-keys --armor <my_key_id>)
> $ if [ "$FIRST" == "$SECOND" ]; then echo "Outputs are equal"; fi
> $ Outputs are equal

Which makes perfect sense to me. I would indeed expect my secret key
encrypted with my passphrase to be the same across multiple invocations
of the export command.

If a salt is used, how come that I can take my key that I've gotten
through a `gpg --export-secret-keys --armor ...` call and import it on a
different machine using only my passphrase?

Could you please elaborate a bit more on this or/and provide some useful
resources?

/Best regards,
Novak
/
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
On Mon, 21 Dec 2020 17:12, Novak Boškov said:

> First, it looks like multiple exports _do_ result in the exactly same
> export data:

What version of GnuPG are you using? A legacy 1.4 version or, worse,
the unmaintained 2.0 version?


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
It is gpg version 2.2.4 with libgcrypt 1.8.1.

So, the two subsequent exports are supposed to give me my private key
encrypted with two different AES keys (same passphrase + a different salt)?
How does transferring the keys to a different machine is supposed to
work then?

On 12/21/20 5:42 PM, Werner Koch wrote:
> On Mon, 21 Dec 2020 17:12, Novak Boškov said:
>
>> First, it looks like multiple exports _do_ result in the exactly same
>> export data:
> What version of GnuPG are you using?  A legacy 1.4 version or, worse,
> the unmaintained 2.0 version?
>
>
> Shalom-Salam,
>
>    Werner
>

--
Novak

On 12/21/20 5:53 PM, Novak Boškov wrote:
> So, the two subsequent exports are supposed to give me my private key
> encrypted with two different AES keys (same passphrase + a different salt)?
> How does transferring the keys to a different machine is supposed to
> work then?
>
> On 12/21/20 5:42 PM, Werner Koch wrote:
>> On Mon, 21 Dec 2020 17:12, Novak Boškov said:
>>
>>> First, it looks like multiple exports _do_ result in the exactly same
>>> export data:
>> What version of GnuPG are you using? A legacy 1.4 version or, worse,
>> the unmaintained 2.0 version?
>>
>>
>> Shalom-Salam,
>>
>> Werner
>>
> -- Novak
--
    Novak Boškov
    /PhD Student/
    /Electrical & Computer Engineering Department/
    /Boston University/
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
On Mon, 21 Dec 2020 18:47, Novak Boškov said:

> So, the two subsequent exports are supposed to give me my private key
> encrypted with two different AES keys (same passphrase + a different salt)?

Right:

First packet of the first export:

# off=0 ctb=95 tag=5 hlen=3 plen=1414
:secret key packet:
version 4, algo 1, created 1568715099, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: E28C8328510DEDC0
protect count: 30408704 (237)
protect IV: 6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56
skey[2]: [v4 protected]
keyid: F29010625F3EDDDA

First packet of the second export:

# off=0 ctb=95 tag=5 hlen=3 plen=1414
:secret key packet:
version 4, algo 1, created 1568715099, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 24725FA6DAA0883C
protect count: 30408704 (237)
protect IV: f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23
skey[2]: [v4 protected]
keyid: F29010625F3EDDDA

You see that the salt and the IV are both different. The protection
count is the same because this is a constant computed by gpg-agent at
startup my measuring the speed of the KDF. The actual encrypted key
data (not shown) is also different.

> How does transferring the keys to a different machine is supposed to
> work then?

box1$ gpg --export-secret-key FINGERPRINT >key.sec

box2$ gpg --import key.sec

You need to enter the passphrase during export. For import the
re-encryption is delayed until the key is used and thus you won't need a
passphrase immediately.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
> box1$ gpg --export-secret-key FINGERPRINT >key.sec
>
> box2$ gpg --import key.sec
OK, I see why this works. Because the salt, IV and protect count are all
stored in plain alongside the encrypted version of the secret key.

However, my secret key packets do not have that `iter+salt`, `protect
count` and `protect IV` parts. They have the plain `skey` parts. That
may be the reason why my subsequent exports are byte-equal.

Now, the issue that I have is that `gpg --passwd <key_id>` says that my
key is protected by a passphrase. It asks for the current passphrase
before it lets me type in the new one. How can it be that `gpg --passwd
<key_id>` asks for the passphrase if `gpg --list-packets <key_id>` does
not have the `iter+salt` part? In other words, is <key_id> protected by
a passphrase or not?

On 12/22/20 1:46 AM, Werner Koch wrote:
> On Mon, 21 Dec 2020 18:47, Novak Boškov said:
>
>> So, the two subsequent exports are supposed to give me my private key
>> encrypted with two different AES keys (same passphrase + a different salt)?
> Right:
>
> First packet of the first export:
>
> # off=0 ctb=95 tag=5 hlen=3 plen=1414
> :secret key packet:
> version 4, algo 1, created 1568715099, expires 0
> pkey[0]: [3072 bits]
> pkey[1]: [17 bits]
> iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: E28C8328510DEDC0
> protect count: 30408704 (237)
> protect IV: 6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56
> skey[2]: [v4 protected]
> keyid: F29010625F3EDDDA
>
> First packet of the second export:
>
> # off=0 ctb=95 tag=5 hlen=3 plen=1414
> :secret key packet:
> version 4, algo 1, created 1568715099, expires 0
> pkey[0]: [3072 bits]
> pkey[1]: [17 bits]
> iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 24725FA6DAA0883C
> protect count: 30408704 (237)
> protect IV: f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23
> skey[2]: [v4 protected]
> keyid: F29010625F3EDDDA
>
> You see that the salt and the IV are both different. The protection
> count is the same because this is a constant computed by gpg-agent at
> startup my measuring the speed of the KDF. The actual encrypted key
> data (not shown) is also different.
>
>> How does transferring the keys to a different machine is supposed to
>> work then?
> box1$ gpg --export-secret-key FINGERPRINT >key.sec
>
> box2$ gpg --import key.sec
>
> You need to enter the passphrase during export. For import the
> re-encryption is delayed until the key is used and thus you won't need a
> passphrase immediately.
>
>
> Shalom-Salam,
>
> Werner
>
--
    Novak Boškov
    /PhD Student/
    /Electrical & Computer Engineering Department/
    /Boston University/
Re: Does GPG Ever Store RSA Secret Keys On The Disk In Plain? [ In reply to ]
This is confusing.

If I do:

> $ gpg --output sec_key.pgp --export-secret-keys <key_id>
> $ gpg --list-packets sec_key.pgp

My :secret sub key packet: looks more like the latter, which Angel says
indicates my key is _not_ protected by a passphrase.

However, if I do:

> $ gpg --passwd <key_id>

It asks me to enter the key's passphrase to "unlock it". Now, why does
it ask me to enter the passphrase if there is no passphrase for the
given key?

Ultimately, which one of the two is right; is my key stored in plane on
the disk because it does not have the `iter+salt` part in `gpg
--list-packets`, or is it stored encrypted using my passphrase that `gpg
--passwd` asks for?

I would be surprised if both can be true at the same time.

--
    Novak