Jorge Almeida jalmeida at
Wed Nov 22 10:05:10 CET 2006

On Wed, 22 Nov 2006, Werner Koch wrote:

>> first question is whether the passphrase is kept in locked memory
>> (assuming the OS supports it), i.e, the passphrase is never send to disk
>> or swap. Is this correct?
> Right. The passphrase (in all cases: when asking for the passphrase,
> or when gpg-agent requires it internally) is never stored on disk but
> kept in a special memory area of gpg-agent ("secure memory").  That
> memory area is protected from swapping out to disk.

> However we rely on the OS's kernel not to reveal the content of a
> pipe.  Pipes are used to convey the passphrase from the pinnetry to

  I suppose Linux does the right thing wrt this issue. Correct?

> The cache is only in RAM.  It is not encrypted there because you would
> anyway need to store the decryption key somehere else in RAM.
And the cache is also is secure memory, just like the passphrases.

Thanks a lot.


More information about the Gnupg-users mailing list