Safe decryption with GnuPG?

Krzysztof Żelechowski program.spe at
Tue Feb 5 19:10:35 CET 2008

Dnia 05-02-2008, Wt o godzinie 11:36 -0600, Robert J. Hansen pisze:
> Hash: SHA256
> Krzysztof Żelechowski wrote:
> > The decrypted information must not make it to any persistent medium 
> GnuPG is almost certainly the wrong tool for your job.  GnuPG has little
> control over low-level operating systems details like swap files.  It is
> possible for cleartext to be stored in some manner.

GnuPG claims it locks memory pages so that they are never dumped.

> > (I understand gpg '-d' already guarantees it 
> > as long as it manages the decrypted text,
> >  but what happens after it leaves gpg?)
> [many other requirements snipped]
> Many of your requirements belong in the application stack alongside or
> above GnuPG, but are pretty much unrelated to GnuPG.  After it leaves
> GnuPG it's no longer GnuPG's problem.  

I just thought the answer would be quick, straightforward and positive, 
and that there should exist such highly confidential software 
on top of GnuPG.  
Since nothing of this sort was mention on the Web page, I dared ask.

> Many of your requirements are
> also impossible to meet.  I don't mean "impossible" as in "it would
> require a lot of engineering", I mean "impossible" as in "it's like
> violating the Second Law of Thermodynamics".

Well, it seems it is impossible to prohibit taking a screen shot;
hopefully a user mode application 
cannot do this without a kernel driver.

> > Can you direct me to some implementation meeting these requirements?
> There exists no such implementation.

Thanks a lot, mine is going to be the first :-) 
(although I am quite surprised
because the requirements are quite obvious to me; 
for what is the benefit of encryption 
when a bad robot can read over your shoulder?)

For the time being, I am inclined to implement the following scheme:
1. Open a new console session.
2. Run gpg '-d' | fgrep
3. Read the result.
4. Close the session.

This obviously does not meet the requirements 
because the text mode console driver 
stores the content of the console in a character buffer 
and does not do all the funny things with scrambling and all.
The mitigating factor is, as always, that the session is short-lived.


More information about the Gnupg-users mailing list