Page MenuHome GnuPG

Can not leave passphrase empty when exporting secret key
Closed, ResolvedPublic


If I export a secret key or subkey, I am asked for a passphrase (actually, one
passphrase for each subkey, but that is a separate issue). If I leave the fields
empty, a dialog asks if I am sure. I can click "Yes, protection is not needed.",
but this results in the message

  gpg: key ...: error receiving key from agent: No passphrase given - skipped

and the file is empty afterwards.
My hard disks are encrypted, so I have no additional passphrase set for my
secret keys. Whenever I create new subkeys (which I do every year), I have to
synchronize it to my laptop, which also has an encrypted hard drive and the
transport is also done securely. So I do not see why I should set a passphrase
for the exported secret key (after all, the key is not even additionally
encrypted in my .gnupg-folder). But even if for some reason there is a design
decision that it should not be possible to export without passphrase (which
would be odd), the dialog suggests that it is possible.



Event Timeline

That is a known problem. I have not yet found the time to fix it. I think
there is another bug report as well.

Thanks for looking into this, Justus.

While you're working on this, it might make sense to consider restoration of the
--export-options export-reset-subkey-passwd flag, which was dropped in 2.1.

This flag was used by at least one GnuPG downstream (monkeysphere); its absence
causes "monkeysphere subkey-to-ssh-agent" to fail.

In GnuPG 1.4.x and 2.0.x, the option was defined this way:

       When  using  the  --export-secret-subkeys  command,  this
       option resets the passphrases for all exported subkeys to
       empty. This is useful when the exported subkey is  to  be
       used  on an unattended machine where a passphrase doesn't
       necessarily make sense. Defaults to no.

I already sent Justsus some code I started with to restore that feature.

I am resolving this issue as duplicate of T2324
in the case of intented empty passphrase for the exported key.
(the export-reset-subkey-passwd flag should be taken to an entirely different