Pinentry: secure memory

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 6 21:48:12 CEST 2015


On Tue 2015-06-16 07:04:40 -0400, Neal H. Walfield wrote:
> This raises another question: do the secure widgets actually increase
> security?  Recall our threat model is someone reading the password
> from swap.

Is swap the only reason to use the secure memory?  Defending against
memory being written to non-volatile storage or readable from outside
the machine is increasingly difficult in this age of hibernated and
virtualized systems.

furthermore, there are other kinds of attack (like spoofing pinentry or
gpg-agent itself) that locked memory does nothing to prevent.

So I'm not convinced the tradeoff for secure memory is worthwhile.  If
you're relying on graphical toolkits, you end up relying on the toolkits
to do the right thing anyway.

depending on native implementations for visually-integrated UI seems
like it might be a better approach, both for usability and for security.

        --dkg



More information about the Gnupg-devel mailing list