I have been working with Prof. Kenny Paterson from ETH Zurich and my
colleague Daniel Huigens at ProtonMail to analyse the security of the
OpenPGP specification and its implementations.
Considering an attacker with write access to encrypted private keys, we
have found that the OpenPGP private key encryption mechanism leaves the
keys vulnerable to what we call Key Overwriting (KO) attacks.
In these attacks, an encrypted private key or its metadata is corrupted
in such a way that secret data might be leaked when the key is used.
You can find full details about the attacks on
Our findings were also presented at the IETF 110 OpenPGP meeting ,
and addressed in the “crypto refresh” draft  (but existing keys
For any questions about the attacks or the countermeasures, feel free
to reach out to us.
Daniel and I will also be at the developers’ OpenPGP Email Summit in
openpgp mailing list