I’ve been experimenting with GPG4 sending encrypted files between multiple accounts on my computer to understand how the process works. Most information about PKI suggests that if your private key is compromised, your messages could be decoded (if someone has your public key and your passphrase). However, even if I know the passphrase associated with a public certificate, it appears useless for decrypting a file, since you must own the certificate that you’re using to do the decryption, and I see no way of taking ownership of a public certificate, at least with Kleopatra. Would one be able to, with some nefarious hacking, actually decrypt a file if he/she had the public certificate and the passphrase, or is it truly secure even in this scenario? I realize that if you create a certificate with File > Export Secret Keys, all bets are off; I’m just considering the normal Export Certificate for public dissemination. Thanks in advance for any insight.
I think at some point you confused public with private key
Most information about PKI suggests that if your private key is compromised,
your messages could be decoded
This is correct. Your private key is what is needed to decrypt files. The passphrase is used to encrypt the private key. So an attacker would actually need your private key + passphrase to get access to your private key.
(if someone has your public key and your passphrase)
Now this is wrong. By design the public key does not help an attacker (or you if you lost your private key). You can safely publish the public key. There are keyservers just for that purpose and the whole system relies on the fact that you have access to the public key’s of your communication partners.
If you want to understand this further you might want to take a look at the wikipedia article about this: http://en.wikipedia.org/wiki/Public-key_cryptography