martin f krafft wrote: > from what i understood. gpg-agent hooks into gpg like ssh-agent into > ssh and you can't get at the passphrase. correct me if this is wrong. By this I assume you mean it does something like store the passphrase in non-swappable memory and then when requested use some form of IPC to feed it into a /usr/bin/gpg process. I assume it hardcodes the path, which would prevent you (or someone who has access to your account) from creating a ~/bin/gpg that asks it for the passphrase and dumps it to stdout. That would still let root replace /usr/bin/gpg with such a program though. So something like this is of some value, but only manages to narrow the window that lets someone who has temporary access to, say, a laptop with an agent running and a passphrase entered, to such a laptop on which you have used sudo in the last 15 minutes. Correct me if I'm wrong. q-agent is a PITA to get working with stuff like mutt though, so I do look forward to using gpg-agent. I just think I'd guard my laptop with my mail signing key on it about the same no matter which agent I had running. -- see shy jo
Attachment:
pgpORQ3Xc1zKq.pgp
Description: PGP signature