Pinentry: secure memory

Daniel Kahn Gillmor dkg at
Mon Jul 6 21:48:12 CEST 2015

On Tue 2015-06-16 07:04:40 -0400, Neal H. Walfield wrote:
> This raises another question: do the secure widgets actually increase
> security?  Recall our threat model is someone reading the password
> from swap.

Is swap the only reason to use the secure memory?  Defending against
memory being written to non-volatile storage or readable from outside
the machine is increasingly difficult in this age of hibernated and
virtualized systems.

furthermore, there are other kinds of attack (like spoofing pinentry or
gpg-agent itself) that locked memory does nothing to prevent.

So I'm not convinced the tradeoff for secure memory is worthwhile.  If
you're relying on graphical toolkits, you end up relying on the toolkits
to do the right thing anyway.

depending on native implementations for visually-integrated UI seems
like it might be a better approach, both for usability and for security.


More information about the Gnupg-devel mailing list