gpg-agent cache keygrip

Peter Lebbing peter at digitalbrains.com
Thu Jul 27 11:46:33 CEST 2017


On 27/07/17 11:24, MFPA wrote:
> Have you considered using a password manager to remember them?

What would be the purpose?

I already fail to see the problem of GnuPG filling in a passphrase it
already knows... surely an attacker would try the same thing as well, I
don't know what GnuPG not trying a known passphrase would actually gain
you in security. GnuPG is not your attacker.

Adding a passphrase manager only introduces another layer of indirection
plus extra steps for the user to unlock their key, but it seems to solve
no actual problem. It just moves the item that is of interest to the
attacker.

Mario, if you for some reason don't like to unlock both keys at once,
for instance so you notice the first time during your session you use
your key, you could also add a number to the passphrase. For instance,
if your passphrase for both keys is "This is surely suboptimal", you
could give one key the passphrase "This is surely suboptimal1" and the
other "This is surely suboptimal2". Then GnuPG won't unlock both keys at
once, but you still don't need to remember more than when you shared the
passphrase. If you can't remember which is 1 and which is 2, use
something you can recognise. For instance, if the pinentry asks you
"Please unlock key 0x6228A8BC", you could append a C, the very last
digit of the identifier.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170727/eca2ecfd/attachment.sig>


More information about the Gnupg-users mailing list