Tom,
I’m not an expert on PGP/GPG, so I only respond to questions which I’m sure I have the answer to. But I’ll take a stab at answering yours:
It’s generally recommended that you keep unencrypted copies of messages (both sent and received) in case you lose access to your key…because once it’s gone, there’s no getting it back. So, if “Suzy” has free access to your computer, she could just read the unencrypted messages.
But, let’s say you don’t keep unencrypted copies. Well, it would be just as easy for Suzy to install a key-logger and get your password anyway. Or, she could just look over your shoulder as you type it, etc. In other words, if you believe that bad actors may have access to your computer, you’ve got much more to worry about.
Here’s what I do to get around that possibility: Following the instructions found here:
https://alexcabal.com/creating-the-perfect-gpg-keypair/
and here:
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
…I created a smart-card which only contains my encryption and signing sub-keys. The master key is stored elsewhere (i.e. not even on my PC or the smart-card). The advantage of this setup is that if someone gains access to my PC, they will not be able to get the secret keys. So, even if they do get the password, it will be useless without the keys. And if I lose my smart-card, I can still retrieve my master key and revoke the sub-keys which were on it. Then, I can get a new smart-card, generate new sub-keys, re-send it to the servers and never have to revoke my main key. The only caveat being that senders need to be sure they have the latest version of my key. Otherwise, they may be sending messages using a compromised key. But that’s best practice in any case.
This also has the advantage of making it impossible to generate a revocation certificate, even with the password. GPG will produce an error message to the effect of, “secret parts of key not available”.
Note: The “–export-secret-key” command will still work, but it will produce a slightly different output. Only “pointers” to the key will be created. You’d still need the smart-card to do anything with them.
As for the unencrypted copies of your messages: you could move them to a safe location (like where you would keep your actual revocation certificate, master key, etc.) Or, you could password protect your PC and lock it when you step away or use another encryption program (like TrueCrypt, etc.) to keep them safe…but then you run into the same problem involving key-loggers. A third option would be to only read unencrypted messages on an offline PC which is also kept in a safe location. All of this sounds a bit complicated, I know. But it depends on how much security you actually think you need. And really good security is inherently complicated…unfortunately.
Hope that helps.
Regards,
Sean C.