1
Is there anyway to prevent exporting of a private OpenPGP key, like asking for the password before each export?
I tried export my private key several times and GnuPG didn't ask me for the password before each export. The exported private key is encrypted though.
Pidong
Posted 2016-08-03T20:08:30.340
Reputation: 21
0
Not really. In the end, all your private keys are stored on disk, and your passphrase is already what guards them against being stolen.
GnuPG 2.x sort of works the way you want. In 1.x, "exporting" just copied the relevant chunk of the secring (still encrypted, without any change) to the output file. In 2.x, key export goes through gpg-agent, which wants to first decrypt the key using the current passphrase and reencrypt it with a new one.
But even if exporting was forbidden, someone could easily copy the secring.pgp or private-keys.d/ directly from your ~/.gnupg/. Without knowing the passphrase, however, they're useless.
user1686
Posted 2016-08-03T20:08:30.340
Reputation: 283 655
0
Exporting the (encrypted) secret key is not any different from just copying the secret keyring. If you want to prevent this, you have to prevent access to the files (proper permissions, but you will hardly be able to protect it from the computer's system administrator or any malicious application running under your user's account).
There is a way to protect a private key from being copied, though: OpenPGP in general and specifically GnuPG have support for OpenPGP smartcards. Those smartcards hold their own crypto processor performing private key operations, so the private key will never leave the card (cannot be exported after all). Such smart cards are available in different fashions: traditional smartcards as sold by KernelConcepts or shipped as FSFE membership card. There are also USB tokens available, for example the YubiKeys and Nitro Key.
Jens Erat
Posted 2016-08-03T20:08:30.340
Reputation: 14 141