Protecting secret keys

dhmanesh's Avatar

dhmanesh

08 Jul, 2015 04:30 PM

Is there a way to make GPG Keychain (Mac) to export the secret keys only when the user provides a passpharse? As it stands all my GPG keys could be compromised if someone gains access to my laptop.

I noticed that Bill asked this very question on 11 Aug 2012. The answer by Steve to that query seems incorrect. GPG Keychain allows editing and exporting keys without a passphrase.

Many thanks in advance,

Davood

  1. Support Staff 1 Posted by Steve on 08 Jul, 2015 05:06 PM

    Steve's Avatar

    Hi Davood,

    if someone gains access to your laptop without having a password setup in OSX screensaver, all kind of things can happen. Starting with key loggers being installer and ending with all kinds of malware running on your system. So probably then, leaked sec keys (but not their passphrases - with which they are still protected) is one of the minor issues you'd be facing in that scenario.

    The above already includes the counter measure to this issue: setup a screensaver with password which kicks in after a few minutes of unused time if you work in multidesk work environments or travel a lot.

    Could you link the discussion from Bill so I can revisit and correct potential errors? Just from the context we are speaking about maybe I should have clarified that there is a) the OSX password in connection of a screensaver and b) the passphrase connected to your sec key.

    All the best,
    steve

  2. 2 Posted by Davood Heshmaty on 08 Jul, 2015 05:22 PM

    Davood Heshmaty's Avatar

    Hi Steve,

    Thanks for your quick reply. Here is the link to Bill's query:
    http://support.gpgtools.org/discussions/problems/1667-access-to-sec...

    You are quite right about the screensaver password. I will certainly do that. But do you not think that it would be sensible to have the option in preferences of GPG Keychain that editing and exporting of keys won't be allowed without a password?

    Best regards,

    Davood

  3. Support Staff 3 Posted by Steve on 08 Jul, 2015 05:34 PM

    Steve's Avatar

    We do agree, that having an option to generally protect GPG Keychain with a password, would be nice to have. That would then also cover key editing of course.

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.

    Also you are right, my reply to Bill is all but complete. I'll go ahead and update it to cover all bases. Thanks for bringing that up.

    Does that answer your question?

    Kindly,
    steve

  4. 4 Posted by dhmanesh on 08 Jul, 2015 08:30 PM

    dhmanesh's Avatar

    Hi Steve,

    Yes I am very happy with your plan.
    I was thinking of a scenario where you may have to take your laptop for repair. You have to hand over your screen password or the job won't get done. And that is when a standalone gpg password can protect your keys.

    Thanks again for your help and support and best regards,

    Davood

  5. Support Staff 5 Posted by Steve on 09 Jul, 2015 09:55 AM

    Steve's Avatar

    Yep, I ran into that scenario myself. I usually just take out the harddrive when giving the mac into repair. But that is not a lot of fun when we are speaking about an iMac.

    In times, where malware can be planted in the EFI, it's hard to protect yourself when giving your machine out of hands. Another workaround for that scenario would be to just backup your entire keyring to a USB drive, delete all keys on the machine and then using the backup once the repaired mac is back.

    I'll go ahead and close this discussion. If you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  6. Steve closed this discussion on 09 Jul, 2015 09:55 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac