On 02/11/14 09:42, Cpp wrote: > I see that command will print out the passphrase in clear text. Is > this secure to use just like that?
This is the same channel as where session keys are exchanged. With a session key, you can decrypt an encrypted message: very sensitive information. So the channel in itself is secure; it all depends on the application that uses it. I don't know if there are any other applications than GnuPG itself that use the agent[1], but in your scenario it would seem to be GnuPG itself and hence be secure. IIUC, your question is whether it's principally possible for Enigmail to decrypt only when you will not be prompted for the passphrase or PIN. The GET_PASSPHRASE --no-ask seems ill equipped to do that. Even apart from the raciness, Enigmail is quite far away from the agent interface. I /think/ Enigmail simply executes the gnupg binary, defaulting to v1.4.x which doesn't even necessarily use the agent! What seems to be needed is a --no-ask command line option to GnuPG 1.4.x or 2.0.x. This would, in the case of an agent, most likely translate into an agent command PKDECRYPT --no-ask (which also doesn't exist yet). So I think the answer is: without ugly hacks which also involve races, no, Enigmail cannot currently decrypt only when it would not lead to a prompt. But perhaps things will completely change with the new GnuPG v2.1.x? By the way: $ gpg-connect-agent "help pkdecrypt" /bye # PKDECRYPT <options> # # Perform the actual decrypt operation. Input is not # sensitive to eavesdropping. OK I've looked at the source (2.0.26), and there are no options. Is this <options> still a relic from something that was once there, or planned to be there? Why is it <options> instead of [options] anyway? :) Surely that's a typo. HTH, Peter. [1] I'm excluding gnome-keyring-daemon on purpose, since it's not using but rather abusing. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
