GPG Key Passwords: Why Reusing is Risky

TL;DR

Reusing strong passwords for multiple GPG keys is a bad idea, even if they’re different keys for different purposes. If one key’s password gets compromised, all your other keys are at risk. Use unique, complex passwords or consider using passphrases and a password manager.

Why Reusing Passwords Fails

GPG (GNU Privacy Guard) uses passwords to protect the private keys that allow you to decrypt messages and sign data. Think of your private key as the lock, and the password as the key *to* the lock. If someone gets hold of that password, they can unlock everything protected by it.

1. Compromise Spreads: If a website you use is hacked, or if you fall for phishing, a compromised password isn’t limited to just that site. If you reuse that password on your GPG keys, attackers gain access to all the data protected by those keys.
   This is especially dangerous because GPG keys often protect sensitive information like emails, code signing certificates, and personal documents.
2. Pattern Recognition: Attackers often try common passwords or variations of them. If you reuse a password, even if it’s strong initially, it increases the chance they’ll guess it.
   They might also use data breaches to test known passwords against your GPG keys.
3. Key Revocation Issues: If an attacker gains access to one key, they can potentially sign malicious software or decrypt sensitive communications as you. Revoking compromised keys is a pain and doesn’t solve the problem if other keys share the same password.

How to Fix It

Here’s how to improve your GPG key security:

1. Generate Unique Passwords: Each GPG key should have its own, unique password.
   This is the most important step. Don’t use passwords you’ve used anywhere else.
2. Password Complexity: Use strong passwords that are at least 16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols.
   Avoid dictionary words or easily guessable phrases.
3. Consider Passphrases: Passphrases (long sentences) are easier to remember than random strings but can still be very secure.
   For example: “My favourite colour is blue and I like eating apples.”
4. Use a Password Manager: A password manager generates, stores, and auto-fills strong passwords for you. Popular options include Bitwarden, KeePassXC (open source), and LastPass.
   Make sure the password manager itself has strong security (two-factor authentication is essential).
5. Check Existing Keys: List your GPG keys to identify those that might be using reused passwords.

   gpg --list-secret-keys --keyid-format long

   Review the output and plan to change the passwords for any keys where you suspect reuse.

6. Change Passwords: Use the following command to change a GPG key’s password:

   gpg --edit-key <key_id>

   Then, within the gpg editor, use the `passwd` command. You’ll be prompted for your current and new passwords.

7. Regular Audits: Periodically review your GPG key setup to ensure all keys have unique, strong passwords.
   Consider setting reminders in your calendar.

Advanced Considerations

1. Agent Usage: Using a GPG agent (like `gpg-agent`) can reduce the need to enter your password repeatedly during a session, but it doesn’t eliminate the risk of a compromised password.
   The agent still needs to unlock the key initially.
2. Hardware Security Keys: For maximum security, consider using a hardware security key (like YubiKey) with GPG. These keys store your private key securely and require physical presence for signing operations.
   This makes it much harder for attackers to steal or use your key even if they have the password.