Passphrase and Key Structure

I was wondering what effect changing the passphrase has on the keys. Not
only the keygrip file but also on the exported copy of it that can be
used with other programs. If you change the passphrase, do you need to
re-backup those keygrip files and re-export those keys again?


your key file on the disk is symmetrically encrypted with the passphrase. So if you change the passphrase you change how the key is encrypted. That is the “keygrip file”.

The old backups can still be decrypted with the old passphrase. (Imported) If you want to use the new Passphrase to encrypt your backups you have to export the secret key again using the new Passphrase.

I hope this explains it. Just think of the key as an encrypted file. Because it is one :-).

Best Regards,


I can create a key that has no passphrase. That key is not encrypted so can be copied and used by others. The passphrase encrypts that file so even if they did get a hold of that key, they can’t do anything with it. That part I got.

From that I can assume that when adding (or changing) the passphrase it has to change something in the key for it to know there is even a passphrase plus it has to have the passphrase (or some hash of it) in there to verify it is correct when using it?

If I got the previous part correct, then whenever I add/change a passphrase, those updated keygrips need to be backed up again. I would also have to re-export that key if to be used it any another program that relies on the gpg version of that key.

Am I correct?


Yes, you are correct.

Just to clarify. The key file does not “contain” the passphrase. It is encrypted with the passphrase. Yes internally we use some kind of info to verify “We have decrypted this correctly” but that is an implementation detail.

Thanks for the explanation. I guess when I said contain the passphrase it was a poor choice of words.

Just to clarify in my mind, whenever you change that passphrase, those backed up keygrips and exported keys (gpg) would need to be redone again to reflect that new passphrase?

Yes they would need to be redone.