secure memory for decryption buffer

Werner Koch wk at gnupg.org
Sun Mar 18 17:11:30 CET 2012


On Fri, 16 Mar 2012 17:31, martin at gnutiken.se said:

> use to integrate gpg encryption/decryption in my application. However,
> I'm unsure if gpgme stores decrypted data in secure memory. I don't want
> passwords to be swapped to disk.

There is no need for it.  GnuPG manages its passphrases using the
gpg-agent daemon.  GPGME does not need to care about passphrases.  Well,
there is an API for passphrases, but it is only used by old GnuPG
versions; its use is not recommended.

The use of mlock is not trivial and more or less impossible for a
general purpose library like GPGME.  Further, the protection this
"secure memory" provides is very questionable these days.  You are
better off using an encrypted swap partition.

Using an mlocked memory area for arbitrary sizes of data is not a good
idea in any case.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list