Extraction of decryption session key without copying complete encrypted file

Andrew Gallagher andrewg at andrewg.com
Fri Aug 4 16:07:22 CEST 2017

On 04/08/17 14:39, Matthias Apitz wrote:
> But this implies that everyone with priv access on the remote host could
> abuse your secret key on your localhost, especially when a GnuPG-card is
> used and you entered the PIN to unlock the secret key. I'm wrong?

Yes, someone with root on the remote machine can do whatever they want
on that machine. The solution is not to perform *any* crypto on a
machine whose admins you do not trust. There's nothing that software can
do to protect you from rogue sysadmins.

If you don't want the sysadmins on the remote machine to abuse your
private key, then you have to download the data, perform your crypto
locally and then upload the data again. Once you allow any software on
the remote machine to access your local resources, the remote sysadmins
can access them too.

This applies to all sorts of other things BTW, such as client drives and
printers shared over RDP.

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170804/0ded7556/attachment.sig>

More information about the Gnupg-users mailing list