Version: 2.0.8 (using KDE 4.6.5) OS: Linux This is a feature request to encrypt GPG certificates when exporting private keys. As of Kleopatra 2.0.12, "File --> Export Secret Key..." will copy the GPG private key in an ASCII armored (if desired) format. This key is unencrypted, and at risk of compromise. Encrypting the key using a symmetric algorithm is easy to do with GPG, and would protect users who want/need to have their private keys on removeable media, or in multiple active locations. Exporting the public and private GPG keys in an encrypted fashion can be done using the following commands [1], for example: gpg -K gpg --output pubkey.gpg --export {KEYID} gpg --output - --export-secret-key {KEYID} |\ cat pubkey.gpg - |\ gpg --armor --output keys.asc --symmetric --cipher-algo AES256 pinentry, if installed and configured, will prompt users for a symmetric AES256 passphrase. The resulting asc file will then be encrypted, and can be sent across a dangerous network, or written to, say, a Flash device. The UI should make clear that the password is encrypting the asc file only. At present, the help files for Kleopatra only say "File -> Export Secret Key..." should basically not be done. This is unhelpful to end users, and is comparatively easy to fix.. In a related note, eradicating stored data (in this case, the exported private GPG key), is the subject of debate [2,3,4]. Exporting the file in an encrypted fashion permits the UI to "do the right thing" even if a user is not well educated in cryptography. Of course, some explanatory text for the export dialog would serve users well. In these cases, "shred" is your friend. :-) [1] http://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/ [2] http://en.wikipedia.org/wiki/Data_remanence [3] http://www.nber.org/sys-admin/overwritten-data-gutmann.html [4] http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/index.html Thanks for making great software! have a day.yad jdpf Reproducible: Always Steps to Reproduce: 1. Launch Kleopatra. 2. Choose a "certificate" 3. Choose "File --> Export Secret Key..." 4. Read the resulting keyfile, it is the naked GPG private key. Actual Results: The resulting keyfile, it is the naked GPG private key. Expected Results: Resulting keyfile from "Export Secret Key..." should be AES encrypted. Like so: gpg -K gpg --output pubkey.gpg --export {KEYID} gpg --output - --export-secret-key {KEYID} |\ cat pubkey.gpg - |\ gpg --armor --output keys.asc --symmetric --cipher-algo AES256 Example from http://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/ OS: Linux (x86_64) release 2.6.39-2-amd64 Compiler: gcc
Needs more discussion.