pinentry offers to save symmetric passwords in libsecret
Neal H. Walfield
neal at walfield.org
Tue Jun 16 16:41:52 CEST 2015
I've create issue #2014 about this, but I'd like to get wider feedback
to figure out the right policy.
Currently, pinentry offers to save passwords in an external cache
(using libsecret) for both private keys and symmetric encryption keys.
At the implementation level, this is because symmetric keys have a
valid cache id (thus gpg-agent calls SETKEYINFO on a pinentry).
A major issue with this, according to Werner, is that unlike public
key crypto, people are using symmetric encryption because they don't
want to leave any traces on the disk about the encryption. (Note:
saving passwords in an external password manager is defined to be
opt-in so security conscious users are unlikely to save the password.)
What should we do? Should we allow users to save the passphrases for
symmetric encryption keys or limit the external password manager to
passphrases for public keys?
In gpg 2.0, this is not easy to fix: both symmetric keys and public
keys are marked cache mode CACHE_MODE_USER. In 2.1, public keys are
marked CACHE_MODE_NORMAL. As such, in 2.1, we could not call
SETKEYINFO for keys with CACHE_MODE_USER thereby preventing the
pinentry from offer the option.
More information about the Gnupg-devel