jalmeida at math.ist.utl.pt
Wed Nov 22 10:05:10 CET 2006
On Wed, 22 Nov 2006, Werner Koch wrote:
>> first question is whether the passphrase is kept in locked memory
>> (assuming the OS supports it), i.e, the passphrase is never send to disk
>> or swap. Is this correct?
> Right. The passphrase (in all cases: when asking for the passphrase,
> or when gpg-agent requires it internally) is never stored on disk but
> kept in a special memory area of gpg-agent ("secure memory"). That
> memory area is protected from swapping out to disk.
> However we rely on the OS's kernel not to reveal the content of a
> pipe. Pipes are used to convey the passphrase from the pinnetry to
I suppose Linux does the right thing wrt this issue. Correct?
> The cache is only in RAM. It is not encrypted there because you would
> anyway need to store the decryption key somehere else in RAM.
And the cache is also is secure memory, just like the passphrases.
Thanks a lot.
More information about the Gnupg-users