On Mon, Mar 8, 2010 at 8:57 PM, Brian Foster <blf at utvinternet.ie> wrote:
> I've forgotten the passphrase to a GPG key-pair.
> Is it possible to change the passphrase without
> knowing the curent (forgotten) passphrase?
A keypair by definition has no password, but you store the keypair in
a structure which can be password protected and different stoarge
structures offer different types of protection.
A quick google shows that GPG uses a keyring structure to store the
keypair, but there are plenty of people asking what the GPG keyring is
and nobody seems to have the answer, or not from my quick google of
it.
If you can find the GPG keyring format then you'll know if the
password hash can be overwritten or not, some can, some are more
complex. Typically a keyring format implements one of the PKCS
formats, some of which have no passwords at all.
Beign able to overwrite a keyrings password isn't necessarily the
"mother of all security holes", its all dependent on what the purpose
of the keyring is. If the purpose of the keyring is that you can leave
your keypair on a public website, then yes, a structure with a
resetable password isn't appropriate, but with an encryption tool such
as GPG in your user account, there are other security features and the
users own self care is a factor. If it was acceptable and utterly
secure to store keypairs in filesystems, people wouldn't invest in
smartcard technology for PKI rollouts, and they do.
HTH,
Paul
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
