Werner Koch wk at
Wed Nov 22 09:24:46 CET 2006

On Tue, 21 Nov 2006 18:09, jalmeida at said:

> Assuming that the gpg-agent daemon is running and some client
> application needs to encrypt or decrypt something, what happens? As I
> understood it, the client connects to the socket and gpg-agent tells
> pinentry to ask for a passphrase, if it doesn't have it yet. Now, the

That is correct for gpg.  It is different with gpgsm (and will be for
future versions of gpg2): The client (i.e. gpgsm) connects to the
agent and ask the agent to decrypt a session key or to sign a hash.
Whether the agent then requires a passphrase is solely a decision
taken internally by gpg-agent.

> first question is whether the passphrase is kept in locked memory
> (assuming the OS supports it), i.e, the passphrase is never send to disk
> or swap. Is this correct?

Right. The passphrase (in all cases: when asking for the passphrase,
or when gpg-agent requires it internally) is never stored on disk but
kept in a special memory area of gpg-agent ("secure memory").  That
memory area is protected from swapping out to disk.

However we rely on the OS's kernel not to reveal the content of a
pipe.  Pipes are used to convey the passphrase from the pinnetry to
the agent and to gpg.

> The other question (not independent from the former) is what is (and
> where is) gpg-agent cache: a directory? containing what? the passphrases
> for several keys? and are they protected only by the filesystem
> permissions, or is there a more elaborate setup?

The cache is only in RAM.  It is not encrypted there because you would
anyway need to store the decryption key somehere else in RAM.

Gpgsm's private keys (X.509 and SSH) are stored on disk.  One file per
key, all under the directory ~/.gnupg/private-keys-v1.d/.  The keys
store there are usually encrypted using a passphrase. gpg-agent
decrypts the keys on the fly and only keeps them in RAM.  To see the
structure of these key files, you may use the command 

  /usr/local/libexec/gpg-protect-tool \

The structure is documented in gnupg/agent/keyformat.txt.



More information about the Gnupg-users mailing list