some beginner questions

Doug Barton dougb at
Mon Apr 3 15:29:08 CEST 2017

On 04/03/2017 04:16 AM, Peter Lebbing wrote:
> On 03/04/17 08:25, Doug Barton wrote:
>> That said, as long as you have a suitable passphrase your risk of key
>> compromise is really, really minimal, even if they did get total control
>> over your device. Barring coercion, the chances of someone guessing your
>> passphrase is near zero. And currently that's the only way to gain
>> access to a secret key, even if you have it in your possession.
> I might misunderstand what you mean.

Yes, you did. :)

> But when somebody has full access
> to your device, they can simply log your keystrokes when you type the
> passphrase, and get your passphrase that way. Key compromise is very
> well possible without you knowningly handing over the passphrase.

You are correct, but that's a different threat model than someone simply 
stealing the device (which is what I wrote about). What you're 
describing implies a level of sophistication and coordination on the 
attacker's part that few of us are subject to, and certainly wasn't 
included in what Will said he was trying to guard against.

> More generally, it is impossible to use GnuPG in a meaningful way on a
> compromised device.

Well, yeah, but, again, not relevant to my post. :)


More information about the Gnupg-users mailing list