Does GPG Ever Store RSA Secret Keys On The Disk In Plain?

[Ángel]

On 2020-12-16 at 14:47 -0500, Novak Boškov wrote:
> Hell everyone,
> 
> On this link is the following statement:
> > To help safeguard your key, GnuPG does not store your raw private
> > key on disk. Instead it encrypts it using a symmetric encryption
> > algorithm.
>  However, I'm not entirely clear on what happens when I do:
> > gpg --export-secret-keys --armor <key_id>
>  Is the secret key block that appears on STDOUT my plain secret key
> or is it its encrypted version?

It is encrypted with your passphrase. You (or an attacker) will need
the passphrase in order to use that exported secret key.

Except if the secret key wasn't protected with a passphrase, in which
case the exported key isn't, either.

You can verify yourself if the key is protected or not by feeding it to
gpg --list-packets.

A key protected with a passphrase will have a packet similar to this:
:secret sub key packet:
	version 4, algo 1, created 1608251624, expires 0
	pkey[0]: [1024 bits]
	pkey[1]: [17 bits]
	iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
1546427246151681
	protect count: 32505856 (239)
	protect IV:  eb f7 79 f8 0c cc b8 a6 e7 e4 88 c1 7b a8 0f e4
	skey[2]: [v4 protected]
	keyid: <key id>


whereas if it didn't have a passphrase, you would see a simpler packet
with the data directly available:
:secret sub key packet:
	version 4, algo 1, created 1608251706, expires 0
	pkey[0]: [1024 bits]
	pkey[1]: [17 bits]
	skey[2]: [1023 bits]
	skey[3]: [512 bits]
	skey[4]: [512 bits]
	skey[5]: [511 bits]
	checksum: 9f84
	keyid: <key id>



The confusion probably comes because it requests the passphrase before
exporting. This didn't use to be the case (it just copied the protected
key file), but the way gpg-agent is dealing with the private key, it
now needs the passphrase to decrypt it, and then it is encrypted again
with the same passphrase before being output.