> box1$ gpg --export-secret-key FINGERPRINT >key.sec > > box2$ gpg --import key.sec OK, I see why this works. Because the salt, IV and protect count are all stored in plain alongside the encrypted version of the secret key.
However, my secret key packets do not have that `iter+salt`, `protect count` and `protect IV` parts. They have the plain `skey` parts. That may be the reason why my subsequent exports are byte-equal. Now, the issue that I have is that `gpg --passwd <key_id>` says that my key is protected by a passphrase. It asks for the current passphrase before it lets me type in the new one. How can it be that `gpg --passwd <key_id>` asks for the passphrase if `gpg --list-packets <key_id>` does not have the `iter+salt` part? In other words, is <key_id> protected by a passphrase or not? On 12/22/20 1:46 AM, Werner Koch wrote: > On Mon, 21 Dec 2020 18:47, Novak Boškov said: > >> So, the two subsequent exports are supposed to give me my private key >> encrypted with two different AES keys (same passphrase + a different salt)? > Right: > > First packet of the first export: > > # off=0 ctb=95 tag=5 hlen=3 plen=1414 > :secret key packet: > version 4, algo 1, created 1568715099, expires 0 > pkey[0]: [3072 bits] > pkey[1]: [17 bits] > iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: > E28C8328510DEDC0 > protect count: 30408704 (237) > protect IV: 6e a3 36 63 19 2c fc 87 b2 c6 be d3 03 41 09 56 > skey[2]: [v4 protected] > keyid: F29010625F3EDDDA > > First packet of the second export: > > # off=0 ctb=95 tag=5 hlen=3 plen=1414 > :secret key packet: > version 4, algo 1, created 1568715099, expires 0 > pkey[0]: [3072 bits] > pkey[1]: [17 bits] > iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: > 24725FA6DAA0883C > protect count: 30408704 (237) > protect IV: f5 29 51 fe 73 02 1a 31 19 fd bf fe ae 37 ef 23 > skey[2]: [v4 protected] > keyid: F29010625F3EDDDA > > You see that the salt and the IV are both different. The protection > count is the same because this is a constant computed by gpg-agent at > startup my measuring the speed of the KDF. The actual encrypted key > data (not shown) is also different. > >> How does transferring the keys to a different machine is supposed to >> work then? > box1$ gpg --export-secret-key FINGERPRINT >key.sec > > box2$ gpg --import key.sec > > You need to enter the passphrase during export. For import the > re-encryption is delayed until the key is used and thus you won't need a > passphrase immediately. > > > Shalom-Salam, > > Werner > -- Novak Boškov /PhD Student/ /Electrical & Computer Engineering Department/ /Boston University/
0xB8D4C9837C741FBD.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users