[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help! I messed up guix-past

From: Ricardo Wurmus
Subject: Re: Help! I messed up guix-past
Date: Tue, 13 Sep 2022 11:23:05 +0200
User-agent: mu4e 1.8.7; emacs 28.1

Hi Konrad,

>> Such keys cannot be accessed without knowing the passphrase, no matter
>> what software you use.
> I agree in theory, but practice disagree. The only other explanation I
> can see is that GnuPG has stored my password somewhere in the file
> system without me knowing about it. That isn't a reassuring explanation
> either.
> Demo:
>   $ gpg --list-keys
>   pub   rsa4096 2018-06-11 [SC]
>         076A1D7B1EF77E068D2AC07CEC17F85277D7932C
>   uid           [ultimate] Konrad Hinsen ( 
> <>
>   sub   rsa4096 2018-06-11 [E]
> The "protection mode" of this key is openpgp-s2k3-sha1-aes-cbc (I looked
> it up in the key file, following the documentation you pointed to).
>   $ echo 1 2 3 | gpg -r --encrypt --armor > counting.gpg
>   $ gpg --decrypt counting.gpg 
>   gpg: WARNING: server 'gpg-agent' is older than us (2.2.19 < 2.2.32)
>   gpg: Note: Outdated servers may lack important security fixes.
>   gpg: Note: Use the command "gpgconf --kill all" to restart them.
>   gpg: encrypted with 4096-bit RSA key, ID 8A9433D79D772795, created 
> 2018-06-11
>         "Konrad Hinsen ( <>"
>   1 2 3

This is the gpg-agent unlocking the key.

> I haven't typed in the key's password for a few months. The last time I
> did was before the update of GnuPG that broke everything for me. I have
> rebooted the machine many times since then.

Many graphical user environments come with a key manager that unlocks
all secrets on login.  One example is Seahorse, which is used by Gnome
to unlock the Gnome keyring on login.

My guess is that GPG is blissfully unaware of your passphrase until
Seahorse unlocks the key on login and provides it to gpg agent.

So this would really not be about GPG doing something silly or unsafe,
but rather about Seahorse and the Gnome keyring doing what they were
designed to do: quietly unlocking secrets on login.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]