[PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet

Werner Koch wk at gnupg.org
Wed Dec 3 12:55:38 CET 2003


On Mon, 1 Dec 2003 21:22:50 +0100, Martijn Klingens said:

> Apart from coding issues, what's the semantic difference between storing the 
> KWallet passphrase in a GPG encrypted document or storing the GPG passphrase 
> in an encrypted wallet?

What you are doing is to encrypt the key used to encrypt the secret
key.  That introduced a lot of more complexity and thus insecurity.
It is pointless to have store the passphrase of an gpg key in
encrypted form on the disk.  The only thing you gain from that is
convenience for the price of reduced security.  If you simply want one
passphrase for all your apps, use one passphrase and don't store it on
disk (it doesn't matter whether it is encrypted or not).  Cahing a
passphrase in memory is a different issue.

> Ehm, pinentry doesn't cache passwords. What my patch does is not showing the 

Right.  gpg-agent does the caching and to have a security boundary as
well as to cope with different GUI requirements, asking for the
passphrase is diverted to a pinentry.

> the wallet for later retrieval without having to show the dialog if the 
> wallet is already open.

If you really that to do that, write a pinentry replacement, using the
documented interface, and instead of asking the user divert it to
KWallet or whatever.  This is a much cleaner design, albeit I would
not recomment it.

> time again, but then one shouldn't use the agent in the first place). KWallet 
> is also one of the few places that allows storing ssh-agent passphrases as 
> well, AFAIK gpg-agent can't be made to fit for that as well, so you'd end up 

I see no reason to store ssh passphrases.  The ssh-agent takes care of
that.  If you want to use ssh in an unattened environment, don't
protect the ssh key with a passphrase.

> However, is it possible to use either gpg-agent or ssh-agent as a single 
> centralized backend for gpg-agent, ssh-agent, kwallet, and possibly others?

I don't understand this.  gpg-agent and ssh-agent are very similar but
used for different applications.  It would be a nice excercise to add
the ssh-agent functionality to gpg-agent becuase they are pretty
similar in what they are doing.

How can Kwallet be a backend if its purpose is to store passowrds
etc.  gpg-agen does the same and thus we can't devide it into backend
and frontend.

It is very well possible to use the pinentry from other applications
than gpg-agent.  OpenSC does this for example. 

I won't suggest to use gpg-agent as a central repository of all
passwords you might want to remember.  There is a huge difference
between the lwn.net password I need to know and the credentials I need
to have to access my machines.

> Just to re-iterate what I said above: it's not an interface _for_ kwallet, but 
> _from_ kwallet. It's just an extension to the already-existing GUI that 
> allows fetching the pass from something else than a dialog. Compare it with a 
> pinentry for a braille reader, if one exists.

Write a Braille reader ware pinentry if you need that. There are other
problems for the visial impaired when entering passphrases etc,
though. A kind of secure attention key will help to make sure
that they are indeed talking to the pinentry.


  Werner


-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org




More information about the Gpa-dev mailing list