[PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet

Ingo Klöcker kloecker at kde.org
Wed Dec 3 18:58:47 CET 2003


On Wednesday 03 December 2003 16:24, Matthias Welwarsky wrote:
> On Wednesday 03 December 2003 12:55, Werner Koch wrote:
> > On Mon, 1 Dec 2003 21:22:50 +0100, Martijn Klingens said:
> > > Apart from coding issues, what's the semantic difference between
> > > storing the KWallet passphrase in a GPG encrypted document or
> > > storing the GPG passphrase in an encrypted wallet?
> >
> > What you are doing is to encrypt the key used to encrypt the secret
> > key.  That introduced a lot of more complexity and thus insecurity.
> > It is pointless to have store the passphrase of an gpg key in
> > encrypted form on the disk.  The only thing you gain from that is
> > convenience for the price of reduced security.  If you simply want
> > one passphrase for all your apps, use one passphrase and don't
> > store it on disk (it doesn't matter whether it is encrypted or
> > not).  Cahing a passphrase in memory is a different issue.
>
> All my apps, and all my external accounts with the same password. You
> have to explain to me how this is bettern than a wallet.

That depends on the threat model. If your wallet is stolen and cracked 
by someone then all your passwords are lost. If OTOH you don't store 
the single password you use for everything on your harddisk then an 
attacker who steals your hard disk gains nothing. Using a single 
password for everything is nevertheless a very bad idea because a 
stolen hard disk isn't the only threat.

Would you store the passphrase which protects your OpenPGP key as plain 
text on an encrypted hard disk?

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20031203/ac31af55/attachment.bin


More information about the Gpa-dev mailing list