Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

Andrew Gallagher andrewg at andrewg.com
Tue Feb 26 15:03:21 CET 2019


On 26/02/2019 11:54, Ciprian Dorin Craciun wrote:
> Thus without much
> effort, one can take out the HDD, and just run a file-system recovery
> tool to recover deleted files, or dump ASCII tokens, and thus get
> access to the used passwords.

Indeed, but if you use one of the standard web browsers your session
tokens are also stored on disk, by default unencrypted, and in many
cases these are equivalent to passwords (depending on the website).

Password managers address the issue of a network attacker. They don't
directly solve the problem of an attacker who has physical access to
your device. An encrypted drive is a better way to prevent an attacker
getting access to sensitive material on disk (not only passwords).

So while the problem you identify is bad, it's not fatal.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/9f5de97e/attachment.sig>


More information about the Gnupg-users mailing list