gpg-agent cache keygrip

Mario Figueiredo marfig at gmx.com
Thu Jul 27 16:33:07 CEST 2017 

On Thu, 27 Jul 2017 14:23:44 +0200
Peter Lebbing <peter at digitalbrains.com> wrote:

> Now let's get on to a passphrase manager and GnuPG specifically. A
> different way to look at it is this: would you use GnuPG to protect
> your passphrase manager? This is actually a feature request I've seen
> multiple times: please provide a way to use my OpenPGP key to unlock
> my passphrase manager. In that way, the security of the passphrase
> manager is utterly dependent on the security of GnuPG. Crack GnuPG,
> and the passphrase manager falls immediately as well.

This is precisely what 'pass' (1) does. I never looked back since I
started using it.

Of note also the fact pass is not a a compiled program, but instead a
shell script smartly wrapping GnuPG functionality into the shape of a
password manager. For this reason, I don't know if anyone ever ported
the idea to Windows, but from what little I remember of Powershell, it
would be perfectly doable.

I use pass with rofi-pass to facilitate the integration with browsers
and applications, allowing me to quickly enter passwords without typing
them into any type of program that accepts keyboard input from the
clipboard. And without *any* need for plugins of any sort on those
pesky browsers.


> and those who would store their GnuPG passphrases in a
> passphrase manager.

This indeed is not so bad if is also GnuPG that is handling your
password manager. Although, I'd agree that is one thing to discover the
GnuPG passphrase for a password manager and it is another thing to also
discover that you now have the victim passwords for the remainder GnuPG
keys accessible to you.

But there are other considerations. Who am I? What I do in life? Who
are my enemies? Depending on how good we are answering these questions
in a rational way, I find that a large part of the general population
has little to no reason to fear storing sensitive GnuPG specific data
in their personal entirely-offline password store. 

As an FYI, I do not store the actual passphrases, but I do store the
0-type revocation certificates with 'pass'. I don't feel that
threatening and it tremendously facilitates things for someone without
any access to reliable and secure physical storage. There is no reason
why I couldn't store the passphrases also. I will eventually, the day I
start fearing my brain.

-- 
Sinceramente / Best regards,

Mário J.G.P. Figueiredo
Luanda, Angola
(email) marfig at gmx.com (alt) krugar at openmailbox.org
(phone) +244 934 535 121
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170727/37ae2ae1/attachment.sig>

More information about the Gnupg-users mailing list