A few newbie Qs

Simon Ward simon+gnupg at bleah.co.uk
Sun Apr 27 15:04:11 CEST 2014



On 27 April 2014 11:34:07 BST, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
>>execute arbitrary code with your credentials, you should simply
>> consider your GnuPG installation compromised whether you use the
>> clipboard or not.
>
>C&P is a time machine.
>
>If I enter a passphrase normally on Monday and my machine is
>compromised
>on a Tuesday, I can be confident my certificate is still secure because
>I never entered my passphrase on a compromised machine.  If I enter a
>passphrase via C&P on Monday and my machine is compromised on a
>Tuesday,
>I suddenly have to worry: was my passphrase still in my C&P buffer? 
>Did
>I remember to wipe the C&P buffer?  Did the C&P buffer get wiped
>securely?  Did I...

The password manager should clear or overwrite the clipboard after a short time, which should help. Keepass includes "timed clipboard clearing" in its feature list. Of course, there is still the question of whether it does (or can*) do it securely.

(*It's possible to clear the X clipboard, but I'm not sure if it remains in memory)

Simon
-- 
Sent from Kaiten Mail. Please excuse my brevity.



More information about the Gnupg-users mailing list