gpg-agent and memory locking

Werner Koch
Tue Sep 9 11:43:01 2003

On Mon, 8 Sep 2003 21:49:41 -0400, Todd  said:

> I'm looking to find out if gpg-agent locks memory to prevent the passphrase
> from getting swapped and if it does, should it also be setuid root as gpg
> (on systems that require root access to lock memory that is)?

Yes it does.  However the use of secure memory in gpg-agent needs to
be audited; it is likley that there are places where the passphrase
could pop up in memory.  

I have also some severe doubts whether pinentry-qt makes proper use of
secure memory.  pinentry-gtk should be better becuase it uses a widget
especially written to protect the passphrase.

> I've found a reference on this list that says it does do this and should be
> setuid but couldn't find anything else.

On those system you need to make it setuid; the usual warning is not
yet printed, though.

Werner Koch                                      <>
The GnuPG Experts                      
Free Software Foundation Europe