Am 08.09.20 um 16:39 schrieb Kai Engert: > On 08.09.20 13:49, li...@datenritter.de wrote: >> >> Eventually you'll enter your master password anyway. After that there's >> no other layer of security. All your passwords, certificates and >> PGP-keys lie about in memory. So I'm concerned about memory leaks and >> code injections. > > If you're worried that another process on your computer can steal your > key, the risk is the same with GnuPG agent, which also caches the > > passphrase in memory for a while.
For a while, yes. There's a configurable timeout, though. Also, we're talking about two different processes here. Accessing memory which has been allocated to a different process should cause an exception and get the attacking process killed. > If there's an evil process on your computer with the ability to read > keys from memory, that process probably also is able to record your > passphrase keystrokes. Well, that would be a kernel hack which goes beyond the scope of what application developers can prevent. > I think the primary intention of a key passphrase is to protect the key > files at rest. That's just the bare minimum. There's a reason for the timeout. Ask yourself: How often do you actually *quit* thunderbird? _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net