gpg

[Jorge Almeida]

On Wed, 22 Nov 2006, Werner Koch wrote:

>> first question is whether the passphrase is kept in locked memory
>> (assuming the OS supports it), i.e, the passphrase is never send to disk
>> or swap. Is this correct?
>
> Right. The passphrase (in all cases: when asking for the passphrase,
> or when gpg-agent requires it internally) is never stored on disk but
> kept in a special memory area of gpg-agent ("secure memory").  That
> memory area is protected from swapping out to disk.
>
Great.

> However we rely on the OS's kernel not to reveal the content of a
> pipe.  Pipes are used to convey the passphrase from the pinnetry to

  I suppose Linux does the right thing wrt this issue. Correct?

>
> The cache is only in RAM.  It is not encrypted there because you would
> anyway need to store the decryption key somehere else in RAM.
>
And the cache is also is secure memory, just like the passphrases.
Right?

Thanks a lot.

Jorge