Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing
Sarun Intaralawan
sarunint at sarunint.com
Tue Feb 26 11:58:22 CET 2019
Hi Caprian,
I'm not able to answer your main question, but I believe it is you
explained. However, regarding the matter in P.S., I'm glad to inform you
that such a tool exists. It is called pass [1] and it is fully integrated
with GnuPG and Git. So you can backup your password like a Git repository.
There's also Android and iOS implementation of pass.
Hope this helps.
Regards,
Sarun
[1]: https://www.passwordstore.org
On Tue, 26 Feb 2019, 17:47 Ciprian Dorin Craciun, <ciprian.craciun at gmail.com>
wrote:
> Hello all!
>
> Given the recent survey in password managers security [1], which
> concluded with their failure to properly sanitize / scrub the
> sensitive data (i.e. "master key") in "running locked state", I was
> wondering how does GnuPG Agent fare in this regard?
>
> More specifically:
> * let's assume that one uses GnuPG Agent; (only for PGP;)
> * the user enters the password for a particular private key;
> * (one assumes that the password was used to get the private key
> cryptographic material, and then scrubbed;)
> * then `--max-cache-ttl` seconds passes;
> * one assumes that the private key cryptographic material is now scrubbed;
>
> Is this expectation correct?
>
>
> Is there some external analysis about the security of the agent with
> regard to the scrubbing of both passwords and cryptographic material?
>
> Thanks,
> Ciprian.
>
>
> [1]
> https://www.securityevaluators.com/casestudies/password-manager-hacking/
>
>
>
>
> P.S.: My interest in this subject is because I have a "custom"
> password-manager implemented on-top of GnuPG, which I'm sure leaks
> passwords all over the place (because it's written in Bash, and uses
> various X tools, none made for security). However I am curios how
> "safe" the actual GnuPG agent really is.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/163cb7b7/attachment.html>
More information about the Gnupg-users
mailing list