Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

Sarun Intaralawan sarunint at sarunint.com
Tue Feb 26 11:58:22 CET 2019 

Hi Caprian,

I'm not able to answer your main question, but I believe it is you
explained. However, regarding the matter in P.S., I'm glad to inform you
that such a tool exists. It is called pass [1] and it is fully integrated
with GnuPG and Git. So you can backup your password like a Git repository.

There's also Android and iOS implementation of pass.

Hope this helps.

Regards,
Sarun

[1]: https://www.passwordstore.org

On Tue, 26 Feb 2019, 17:47 Ciprian Dorin Craciun, <ciprian.craciun at gmail.com>
wrote:

> Hello all!
>
> Given the recent survey in password managers security [1], which
> concluded with their failure to properly sanitize / scrub the
> sensitive data (i.e. "master key") in "running locked state", I was
> wondering how does GnuPG Agent fare in this regard?
>
> More specifically:
> * let's assume that one uses GnuPG Agent;  (only for PGP;)
> * the user enters the password for a particular private key;
> * (one assumes that the password was used to get the private key
> cryptographic material, and then scrubbed;)
> * then `--max-cache-ttl` seconds passes;
> * one assumes that the private key cryptographic material is now scrubbed;
>
> Is this expectation correct?
>
>
> Is there some external analysis about the security of the agent with
> regard to the scrubbing of both passwords and cryptographic material?
>
> Thanks,
> Ciprian.
>
>
> [1]
> https://www.securityevaluators.com/casestudies/password-manager-hacking/
>
>
>
>
> P.S.:  My interest in this subject is because I have a "custom"
> password-manager implemented on-top of GnuPG, which I'm sure leaks
> passwords all over the place (because it's written in Bash, and uses
> various X tools, none made for security).  However I am curios how
> "safe" the actual GnuPG agent really is.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/163cb7b7/attachment.html>

More information about the Gnupg-users mailing list