Is Kleopatra doing --export-secret-keys when we use the backup secret keys option? The page export-secret-keys says there is no protection for the key if you use this on the command line “…a security risk since private keys are left unprotected”. This thread Exporting certificate - Export Secret Key - key protection- no option for ASCII says to not worry and it is protected per some standard.
In fact if you google the topic you will find scores of people saying the private key is protected by the passphrase and scores saying it is NOT. Both camps cannot be right unless there are options to export the secret key without the passphrase protecting it?
So I did the backup secret keys with Kleopatra and took the file to another system where I was able to import into Kleopatra without using any password. But when I tried to use the key to decrypt a file I was asked for my passphrase as I expected. (Well, I kinda thought it might ask when importing too but it is protected in my testing.)
In this case both camps are correct in that
a) there is an encryption on the secret key material (if you have set a passphrase on the key at all).
b) you shall protect this exported secret key file during transfer, at least it is strongly recommended. There potentially are other attacks on an encrypted secret key file, so better is to not give it into the hand of attackers in the first place.
There is an option to export a secret key without passphrase, in the case that you are deliberately do not set a passphrase in the first place. This is useful in cases where the secret key material must be accessible for automation. Of course then the data at rest must be protected by other means.
This can be useful for secure transfer and backup of private keys. If you haven’t setup a passphrase on your secret key , this would be useful.
I am not sure if the passphrase set on secret key while setup is sufficient enough for protection but this method should provide additional protection and any accidental writes to insecure storage.