Page MenuHome GnuPG

Passphrase prompts for each subkey, but not clear which dialog belongs to which subkey
Closed, ResolvedPublic


If I either change the passphrase or export a secret key, multiple 'set
passphrase' dialogs pop up - I was very confused by this, but with some
experimentation I found out that this is one dialog for the master key and one
for each subkey. The problem is that neither the dialog nor the command prompt
tells for which key the current dialog is. I guess most of the time people will
want the same passphrase for all subkeys and probably also the same for the
master key. If that is the case, it should not be necessary to enter the
passphrase more than twice. But even if they want different passphrases, the
dialog should tell which subkey is affected at the moment. I guess the best way
would be to use the same passphrase for all keys by default and allow changing
the passphrase for specific keys by adding their IDs to the passwd command.

For exporting secret keys, I guess if someone really wants to export different
subkeys with different passphrases it is always possible to export into
different files, so a good default would be to have one passphrase per file.
However, I would also like an option like in the old (1.x) versions, namely
"export in the same format that you are using for storage, without decrypting
the secret key and re-encrypting it again". That format would no longer be
compatible with other versions, but at the moment this is just a pain.

Another problem is that setting an empty passphrase when exporting is broken,
but I will open a separate issue for this.

Event Timeline

Thanks for writing this report. I have this annoying problem in mind (and also
known what passphrase to enter) but having a rport is better. Sorry, will take
some more time to fix that.

I just tested changing passphrases and indeed this is very ugly. Especially as this opens up a wide range of error states where you have different passphrases for different subkeys etc.

My suggestion would be to change "passwd" to use the same passphrase for all subkeys and maybe have a "subpasswd" command that works as it is now in that it queries for each subkey.

Was reported to me again in the context of paperkey export / print secret key in Kleopatra.

I don't really know whats supposed to happen with paperkey if you cancel the first passphrase entry and then ok the second. I don't really want to handle such states :-(

On gpg4win 4.1.0 (and GnuPG VSD 3.1.26) there are no longer password prompts for the subkeys when exporting (or making a backup from) secret keys.

The same is true for changing passwords unless there was no password on the key. In that case we ask twice for the new password, once for the main key and once for the subkey.

ebo claimed this task.

closed, as the remaining subtask is found at T6436