Information Security
openpgp gpg4win kleopatra
Updated Tue, 01 Nov 2022 07:45:12 GMT

How to tell if a "PGP PRIVATE KEY BLOCK" is passphrase protected?

I've used gpg4win's Kleopatra tool to create an OpenPGP RSA personal certificate. I want to export the private key for several reasons (import it on another machine, as well as backing it up in Keepass), so I right-clicked the certificate and chose "Export Secret Keys..." and chose to "ASCII armor" it.

If I open up the file in Notepad I see this kind of thing:


How can I tell (or alternatively: know) if this is passphrase-protected?


Is this passphrase-protected? There's a high probability it is!

How can I know if this is passphrase-protected?

Simply enough: import the exported key and try to use it; if it was originally created with a passphrase, it will be exported with the passphrase. You need to know it after the import, too.

It is possible to create a passphrase-less key pair, but after confirming this three times and then finally re-entering the empty passphrase you should already be pretty aware that this isn't smart:

Kleopatra pinetry-qt4 confirmations[1]

How can I tell if this is passphrase-protected?

You can also analyze the key with gpg --list-packets --verbose private-exported.asc.

On a password protected key you'll see something like this:

    pkey[1]: 010001
    iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 85B065E6EAFE95F6
    protect count: 2752512 (181)
    protect IV:  e6 47 c1 03 96 b1 5c e8
    skey[2]: [v4 protected]
    keyid: F5798EF2ECAC2051

While the unprotected key reveals all the keys like this:

    pkey[0]: BC1A19AD1A1AC852F7A5E....
    pkey[1]: 010001
    skey[2]: 02CA55EDF940900EFFD2A....
    skey[3]: D477DA74DF0DCD8E991AA....
    skey[4]: E2A43778C36FEE7E27903....
    skey[5]: E0CC81786737F2838A7FE....