pinentry offers to save symmetric passwords in libsecret
Daiki Ueno
ueno at gnu.org
Wed Jun 17 08:59:22 CEST 2015
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> Maybe what i'm missing is how the "cache_id" is selected for the
> symmetric passphrase, both at creation time and at re-use time. can you
> summarize that? I dug around in the code a bit but didn't sort out how
> it's being done.
If I remember correctly (and the logic hasn't changed), it is a randomly
chosen 8-octet salt value:
http://tools.ietf.org/html/rfc4880#section-3.7.1.2
"Neal H. Walfield" <neal at walfield.org> writes:
> A major issue with this, according to Werner, is that unlike public
> key crypto, people are using symmetric encryption because they don't
> want to leave any traces on the disk about the encryption.
>
> What should we do? Should we allow users to save the passphrases for
> symmetric encryption keys or limit the external password manager to
> passphrases for public keys?
IMHO, the latter sounds better, unless the user frequently opens certain
files which are symmetrically encrypted (e.g., ~/.authinfo.gpg used by
Gnus, which saves IMAP passwords, etc. in that file); in that case, an
additional information (a filename, etc) should be associated with the
passphrase within the password manager.
Also, a minor problem is that, if a user removes or re-encrypts a file,
the old salt value will persists in the password manager.
Regards,
--
Daiki Ueno
More information about the Gnupg-devel
mailing list