Affects:
Bug affects Kgpg's versions from 0.6 to 0.8.2.
Description:
A bug in Kgpg's key generation affects all secret keys generated through Kgpg's wizard. (Bug does not affect keys created
in console/expert mode). All keys created through the wizard have an empty passphrase, which means that if someone
has access to your computer and can read your secret key, he/she can decrypt your files whitout the need of a passphrase.
Why this bug, is Kgpg insecure ?
This bug happened because the way the passphrase was sent to GnuPG was incorrect. Thus, passphrase was considered empty. Basically, Kgpg is just a frontend that sends command line arguments to GnuPG. So, there shouldn't be security issues, except when the sent commands are wrong... I always tried to be very careful... If some users think it is usefull, I could introduce a paranoia mode that displays each command before executing it.
What can you do:
We strongly recommend that you delete all secret created with the wizard. You can also edit the key and give it a new passphrase,
however, the key may have been compromised in the meantime.
All Kgpg's users are also strongly advised to update to version 0.9.
KGPG home page