Please Consider Increasing SECMEM_BUFFER_SIZE To 1048576

Werner Koch wk at
Thu Oct 19 17:37:20 CEST 2017

On Fri, 13 Oct 2017 19:42, dkg at said:

> Also, any sensible use of swap today on any machine that has sensitive
> data should be done with an ephemerally-encrypted swap device.  In

Indeed.  Back in the late 90ies, avoidance of such secret leakage was on
the wishlist of all security folks and thus gpg implemented this right
From its beginning.

To use mlock for this was actually a kludge for Linux, other Unices, and
(later) Windows where we had no encrypted swap or it used to be really
complicate to setup.  The *BSDs had useful encrypted swap much earlier
but GnuPG wanted to address all platforms.

> particular, on GNU/Linux systems with cryptsetup, that means something
> like:

Thanks for that short howto.  Is there a reason why it is not done by
default in Debian?  Can we expect it in Buster?



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list