Pinentry: secure memory

Werner Koch wk at
Mon Jul 20 13:11:50 CEST 2015

On Mon,  6 Jul 2015 21:48, dkg at said:

> Is swap the only reason to use the secure memory?  Defending against

Yes, for Pinentry because there is only single confidential data object
to protect and we know the places were we may want to wipe it.  For
GnuPG this is more complicated because the secure memory area is also
used to automatically wipe malloc-ed memory before a free.

> So I'm not convinced the tradeoff for secure memory is worthwhile.  If
> you're relying on graphical toolkits, you end up relying on the toolkits
> to do the right thing anyway.

Looks to me that we have a rough consensus to do away with secure memory
in Pinentry.

> depending on native implementations for visually-integrated UI seems
> like it might be a better approach, both for usability and for security.

A Secure-Attention-Key like feature would be nice (i.e. greying out the
entire screen except for the Pinentry) but that must be provided by the
OS kernel or at least the GUI kernel.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list