-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 zulag escribió: > 1. The GnuPG documentation states that "--export-secret-key" is "a > security risk". Since no passphrase is asked, I imagine the exported > key is not clear text. So why is it a security risk ? Because it would > make it impossible (useless) to change the secret key passphrase later > if the exported encrypted file goes public ?
I suppose it is clear text, and that would be the reason for the "security risk" warning. The idea about export a secret key is to import it in other place, so it must be cleartext... unless you want to back up it, in that case, you can encrypt it right after exporting it... But all this is what I suppose, since I don't remember having exported a secret key from command line. > 2. Is it a bad practice to encrypt a file and then "clearsign" the > encrypted file instead of doing directly "-ea" (with which we cannot > check the signature before extracting, if we ever wanted to) ? I remember somebody asked the same question a couple of months ago, and the answer was: If you encrypt it and then sign it, if somebody steal the message, he would get the sender's key ID from the signature. If you sign it and then encrypt it, the thief would not have any info about the sender. I suppose decrypting a file is not a security threat, so there should not be a problem if you decrypt a message and just then you notice it doesn't come from the sender... (invalid signature). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJInBntAAoJEMV4f6PvczxAJxoH/RMNrkG0qUQQu4D+E7roB0hA vEhlzD2EmASVMZQLOMBVKecZ4MP4lM78WeZCBhaggeeuNvxJo6DQby+k+OY+hjot dNGTbgKeJOY/gFg/wCtkUu86VbODH0/vVH1NB66NAoypuvEyTW3v4DlTcEmo8Fsh j1BXOnSMYc/KDu103zdaLkeQtesHQcpAXjwDoYlwxjxSrfQl7lQmoL8q5g9Wgsqv nIAz7umtmleU0qdI4zdgNUYYENQrB5TSgh1618/DQj0X1+YCdDt7hY8QMFQ/Y7CT GhzBI7EkcJm22eRoTi7pljKv2s3Af/cY0JKgki7S8gDczCjkCEoqT8y+8thN8ho= =N7WC -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
