[cvwright]

Looks interesting. But I think I must be missing something.

Are the symmetric keys that are used to encrypt the private keys derived from a password, or not?

> This protocol overcomes this weakness by wrapping all key packets, encrypted with a key derived from a second high-entropy alphanumeric passphrase.

>

> The passphrase SHOULD be a random high-entropy uppercase alphanumeric string of 24 characters, generated from a cryptographically secure pseudo-random number generator (CSPRNG).

So do you seed the CSPRNG starting from something derived from a password? And if not, then how do you decrypt your private keys when you want to use them on a new device?

[Tharkun]

From my understanding, there are two passphrases. One to encrypt the private key in the usual way. And another one that's used for storage on the IMAP server.

The RNG is, as far as I can make out, only recommend to ensure that users don't use a weak passphrase.

[felixhammerl]

exactly. the passphrase for the private key isn't touched. the >24 chars passphrase is used for the symmetrically encrypted pgp message.

[cvwright]

Oh, OK cool. As long as you're using a good KDF to seed the CSPRNG that sounds great. Thanks for the response.