Fwd: Re: The --use-tor option

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 20 15:43:27 CEST 2015


Hi Jacob--

On Tue 2015-10-20 07:43:34 -0400, Jacob Appelbaum wrote:
> Will gnupg have a UseTor option for gpg.conf now?

in modern GnuPG (2.1.x), all network access is handled by the dirmngr
daemon.

--use-tor is an option for dirmngr, so it will live in
~/.gnupg/dirmngr.conf.

> If GnuPG had Tor ControlPort integration, we could even generate Tor
> Hidden Services automatically and use them together in smart ways with
> GnuPG.

GnuPG has never offered any network services, so offering hidden
services seems like a strict increase in attack surface.  what network
service are you imagining gpg would offer?

> I hope you'll also support the Unix Domain Socket SOCKS port that
> we're now shipping with Tor (0.2.7.x and up, I think). That would mean
> that gnupg could be entirely sandboxed from the internet and only able
> to talk to the internet through Tor.

GnuPG 2.1 already only talks to the internet through dirmngr --
improvements to dirmngr are the way to go here :)  It would also be
great if someone wanted to write an apparmor or selinux profile that
confined gpg to not be able to talk to the network at all.

   --dkg



More information about the Gnupg-devel mailing list