Concerning subkey passwords: changes to private key storage method?

initramfs initramfs at initramfs.io
Thu Oct 20 12:29:05 CEST 2016


Dear GnuPG mailing list,

Recently I've attempted to create a new GPG key (one master + 2 subkeys)
with gpg --full-gen-key --expert and at the end of the key generation
process (including gpg --edit-key --expert) I noticed I never got to set
specific passwords/passphrases per subkey. This comes in contrast to my
older GPG 2.1 master key, which requires a separate password per subkey
(and one for the master).

If I recall correctly, GPG private keys are stored under symmetric
encryption where a PBKDF derives the symmetric encryption key,
protecting the keys in case of compromise. Having separate passwords per
subkey implies that each key is encrypted and stored separately. This
does not seem to be the case with newer keys. Has the key storage method
changed? Or I am missing an obvious option to set it as such?

What's even more weird is that if I import my old master key into
keychain, I get the "old" behavior of separate passwords for that
specific key. Exporting and reimporting does not change the behavior.
Whereas there doesn't seem to be an option (at least in --edit-key) to
use the behavior of one password per subkey.

Was there a change made within the 2.1.x branch that changed the
behavior of key storage/encryption? If so, is there a way to toggle
between the aforementioned behaviors?

Regards,
initramfs

N.B. I'm fairly certain the "old" key I have was created with GPG 2.1
given that it's an ECC key. I've recently moved from Arch to Gentoo, if
that matters at all (using the same GnuPG version).



More information about the Gnupg-users mailing list