[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg-agent?

martin f krafft wrote:
> from what i understood. gpg-agent hooks into gpg like ssh-agent into
> ssh and you can't get at the passphrase. correct me if this is wrong.

By this I assume you mean it does something like store the passphrase in
non-swappable memory and then when requested use some form of IPC to
feed it into a /usr/bin/gpg process. I assume it hardcodes the path,
which would prevent you (or someone who has access to your account) from
creating a ~/bin/gpg that asks it for the passphrase and dumps it to

That would still let root replace /usr/bin/gpg with such a program
though. So something like this is of some value, but only manages to
narrow the window that lets someone who has temporary access to, say, a
laptop with an agent running and a passphrase entered, to such a laptop
on which you have used sudo in the last 15 minutes. Correct me if I'm

q-agent is a PITA to get working with stuff like mutt though, so I do
look forward to using gpg-agent. I just think I'd guard my laptop with
my mail signing key on it about the same no matter which agent I had

see shy jo

Attachment: pgpORQ3Xc1zKq.pgp
Description: PGP signature

Reply to: