Page MenuHome GnuPG

The warning "lower 3 bits of the secret key are not cleared" keeps showing even cv25519 key was generated by GnuPG
Open, NormalPublic

Description

Sorry for my poor English first, I have some problems when using Curve25519.

I have created a new key pair using default option Curve 25519. It has generated a master ed25519 key (Sign and Certify) and a subkey cv25519 (Encrypt only) automaticly. Exports the key, deletes all private & public keys from GnuPG, imports back, and then I get a message: warning: lower 3 bits of the secret key are not cleared.

I found this warning message was added in T5464. I'm not very clear to understand the detailed working process and algorithm in GnuPG which was talking in T5464, but it seems the warning message shows even the key was exported by GnuPG itself. There are some questions I'm worry about:

  1. When I exporting or importing cv25519 key, does the warning message mean the existing key pair is already "broken"?
  2. Is there any parameters or commands in gpg which can avoid the situation? (for example, clean the lower 3 bits and set the highest bit before exporting or importing)
  3. Is it safe to modify existing private keys manually? (seems difficult, not sure if the secret key file in disk was protected by password)

Below is the output, the key pair is for test and no need to keep secret.

My platform is Windows 11 22H2 and Gpg4win 4.1.0.

Hope this can help, thanks a lot.

> gpg --full-generate-key
gpg (GnuPG) 2.4.0; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection?
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 28
Key expires at 2023-01-27 23:43:58 Taipei Standard Time
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: test
Email address: test@test.com
Comment:
You selected this USER-ID:
    "test <test@test.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory 'C:\\Users\\<hidden>\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created
gpg: revocation certificate stored as 'C:\\Users\\<hidden>\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\B40B253D65E7B1A6DD596005AD081E365A435428.rev'
public and secret key created and signed.

pub   ed25519 2022-12-30 [SC] [expires: 2023-01-27]
      B40B253D65E7B1A6DD596005AD081E365A435428
uid                      test <test@test.com>
sub   cv25519 2022-12-30 [E] [expires: 2023-01-27]

> gpg --list-secret-keys --keyid-format LONG
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-01-27
C:\Users\<hidden>\AppData\Roaming\gnupg\pubring.kbx
---------------------------------------------
sec   ed25519/AD081E365A435428 2022-12-30 [SC] [expires: 2023-01-27]
      B40B253D65E7B1A6DD596005AD081E365A435428
uid                 [ultimate] test <test@test.com>
ssb   cv25519/BDDF38C10B2D8577 2022-12-30 [E] [expires: 2023-01-27]

> gpg --output test.sec --armor --export-secret-keys B40B253D65E7B1A6DD596005AD081E365A435428

> gpg --delete-secret-keys B40B253D65E7B1A6DD596005AD081E365A435428
gpg (GnuPG) 2.4.0; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  ed25519/AD081E365A435428 2022-12-30 test <test@test.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

> gpg --delete-keys B40B253D65E7B1A6DD596005AD081E365A435428
gpg (GnuPG) 2.4.0; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  ed25519/AD081E365A435428 2022-12-30 test <test@test.com>

Delete this key from the keyring? (y/N) y

> gpg --list-secret-keys --keyid-format LONG
gpg: checking the trustdb
gpg: no ultimately trusted keys found

> gpg --import test.sec
gpg: key AD081E365A435428: public key "test <test@test.com>" imported
gpg: warning: lower 3 bits of the secret key are not cleared
gpg: key AD081E365A435428: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

> gpg --list-secret-keys --keyid-format LONG
C:\Users\<hidden>\AppData\Roaming\gnupg\pubring.kbx
---------------------------------------------
sec   ed25519/AD081E365A435428 2022-12-30 [SC] [expires: 2023-01-27]
      B40B253D65E7B1A6DD596005AD081E365A435428
uid                 [ unknown] test <test@test.com>
ssb   cv25519/BDDF38C10B2D8577 2022-12-30 [E] [expires: 2023-01-27]

Details

Version
2.4.0

Event Timeline

werner triaged this task as Normal priority.Sat, Dec 31, 12:02 PM
werner added a project: gnupg24.