I recently began using Kleopatra, and I was very surprised to see that exporting secret keys requires not authorizing password. So anyone with access to a running instance of Kleopatra could export all the secret keys. Presumably, the attacker would have to know the signing password to fully utilize them, but this still seems like a bad operational practice. Is there a way to configure Kleopatra to require passwords to export secret keys?
We are talking effectively uncrackable encryption here. What the heck use are private keys without the signing password? Relax and make your password a ‘good one’.
I went and compared this to my previous pgp software suite, and the behavior was the same. Just got a little paranoid. Thanks for the reassurance.
No problem. A modicum of paranoia can be helpful at time.
Please tell me when I change master password in Kleopatra,
is I must again to backup private-secret keys?