Ubuntu – GnuPG Private key can be exported without password

gnupg

I'm using Seahorse on Ubuntu, and I found that using the 'export secret key' option allows me to save an unencrypted *.asc file containing my GnuPG private key, with neither root access nor the password used to secure the key. I cannot change the picture or other settings for the key without entering that password.

I am very new at this, but it seems to be a security risk. How can I configure my key so it can't be exported at the click of a button?

Best Answer

It's not a security risk. The only vulnerability you are ;). You have to make sure that does not get your private key into the wrong hands.

Everyone who has access to your system and has sufficient access rights, can copy your key. Seahorse can not prevent that, too.

Encrypt your partitions and use a sufficiently strong password for your user account. Lock your system when you leave your workstation. Made sure that your backups are encrypted.

Related Solutions

Ubuntu – How to verify if a exported gpg key is a public or a private one

Run on the command line:

gpg the-keyfile

With the-keyfile being the .asc (armored) or .pgp (binary) file. The output will either start with sec (secret available) or pub (public key only). This is a successful export of a secret key:

sec  [more key details]
ssb  [more subkey details]

And this for a public key:

pub  [more key details]
sub  [more subkey details]

Note that exporting the secret key also implies the public key (one can derive the public from the secret).

Ubuntu – How to share the public OpenPGP key using GnuPG

From the command line:

Run gpg --list-keys 'your name' to list the keys you currently have (replacing your name with the name you have while setting up):

$ gpg --list-keys muru      
/home/muru/.gnupg/pubring.gpg
--------------------------------
pub   2048R/AD0CC9B4 2015-07-15
uid                  muru
sub   2048R/450DAD90 2015-07-15

Note the fingerprint of the key you want to export. The fingerprint of my public key is AD0CC9B4. To export it, I'll do gpg --export (-a is for ASCII armour, so that the key is in the usual base64-encoded form):

$ gpg -a --export AD0CC9B4
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFWm4zkBCADYo5ffanvwBVGMbfp3g+/RMYb41QRZXCGSUhZkU7m3BpPSoO/4
NBzD4KKAU6CTVzBmVmZoFGgK2dDIOv+ZCkB4USZM2cvvpu7I+jfaYZW7ouQ4uEYu
8xY8ugFn5ImsK4KN0OP+Iw1VBXLdvj/rEiV+gcH8QV0XhsfgczCxjS1dMV3AMD+h
# snip
Wo0X3XmrPpaHJf7MsjGmJGbHNX9ZLllyFWQPlNdu9ilLI9GMjSpJSqQ=
=l/Xm
-----END PGP PUBLIC KEY BLOCK-----

You can redirect the output to a file:

gpg -a --export AD0CC9B4 > my-pubkey.asc

Then my-pubkey.asc should contain your ASCII-armoured public key.

The corresponding private key can be exported with:

gpg -a --export-secret-keys AD0CC9B4

The output of this command will begin with

-----BEGIN PGP PRIVATE KEY BLOCK-----

Best Answer

Related Solutions

Ubuntu – How to verify if a exported gpg key is a public or a private one

Ubuntu – How to share the public OpenPGP key using GnuPG

Related Question