Security of the gpg private keyring?

David Shaw dshaw at jabberwocky.com
Mon Feb 28 15:09:35 CET 2011


On Feb 28, 2011, at 6:47 AM, Guy Halford-Thompson wrote:

> Assuming I have password protected secret keys, can I assume that the
> gpg private keyring is secure?  I.e., if my private keyring was to
> fall into malicious hands, would the aforesaid hands be able to
> extract any useful information from my password protected keys?
> 
> I am not taking about super-hackers cracking the keys here here...
> just things like metadata associated with the keys... email addresses,
> who has signed them, expiry date etc...

You can do quite a lot with stuff like this.  Who signed who can tell you who this person has met, and often where.  If you see a bunch of signatures around a particular date, look for a keysigning party on that date - now you have evidence they were there.  Email addresses can reveal an enormous amount of information about a person.  Robert and I did an experiment a few months ago where starting only from his public key, I was easily able to find out real-world addresses, parents names, siblings, etc.

However, all of this information is available in the *public* key as well.  There is no need for an attacker to get this from your secret key when he can just get it from a handy keyserver.

Assuming you have a good passphrase on your secret key, the attacker can't get into it any more than he could get into a message you send.

David




More information about the Gnupg-users mailing list