Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

Ciprian Dorin Craciun ciprian.craciun at gmail.com
Tue Feb 26 12:54:01 CET 2019


On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan
<sarunint at sarunint.com> wrote:
> I'm not able to answer your main question, but I believe it is you explained. However, regarding the matter in P.S., I'm glad to inform you that such a tool exists. It is called pass [1] and it is fully integrated with GnuPG and Git. So you can backup your password like a Git repository.


I know about that tool, however it is unfortunately written also in
Bash, which as my own implementation has countless ways to
(permanently) leak the password.

For example take the following commit:
    https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24

Which has the following change:
~~~~
- $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}"
<<<"$password" || die "Password encryption aborted."
+ echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
"${GPG_OPTS[@]}" || die "Password encryption aborted."
~~~~

In was committed in 2018, but the tool is from 2015, thus in the
interim all the passwords were leaked into `$TMPDIR` and thus on the
disk, which in most cases is actually the `rootfs`.  Thus without much
effort, one can take out the HDD, and just run a file-system recovery
tool to recover deleted files, or dump ASCII tokens, and thus get
access to the used passwords.


I'm not criticizing the `pass` tool, as I know myself how hard it is
to write a tool that doesn't leak data, however any such tool should
come with a big warning to its users.

Unfortunately on the project page there is no mention of its security
weaknesses or any hint to the users about possible data leaks.

Ciprian.



More information about the Gnupg-users mailing list