Is gpg-agent passphrase status query possible?

Werner Koch wk at
Fri Oct 31 08:48:35 CET 2014

On Fri, 31 Oct 2014 06:51, ml at said:

> It prints the GPG passphrase in plain text. Is the password cached in plain 
> text?

Catch-22. How would you protect the key used to decrypt the cache?

Actually the content of the passphrase cache is stored encrypted in RAM
but the key for that is stored in RAM too:

/* The encryption context.  This is the only place where the
   encryption key for all cached entries is available.  It would be nice
   to keep this (or just the key) in some hardware device, for example
   a TPM.  Libgcrypt could be extended to provide such a service.
   With the current scheme it is easy to retrieve the cached entries
   if access to Libgcrypt's memory is available.  The encryption
   merely avoids grepping for clear texts in the memory.  Nevertheless
   the encryption provides the necessary infrastructure to make it
   more secure.  */



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list