Hello all! Given the recent survey in password managers security [1], which concluded with their failure to properly sanitize / scrub the sensitive data (i.e. "master key") in "running locked state", I was wondering how does GnuPG Agent fare in this regard?
More specifically: * let's assume that one uses GnuPG Agent; (only for PGP;) * the user enters the password for a particular private key; * (one assumes that the password was used to get the private key cryptographic material, and then scrubbed;) * then `--max-cache-ttl` seconds passes; * one assumes that the private key cryptographic material is now scrubbed; Is this expectation correct? Is there some external analysis about the security of the agent with regard to the scrubbing of both passwords and cryptographic material? Thanks, Ciprian. [1] https://www.securityevaluators.com/casestudies/password-manager-hacking/ P.S.: My interest in this subject is because I have a "custom" password-manager implemented on-top of GnuPG, which I'm sure leaks passwords all over the place (because it's written in Bash, and uses various X tools, none made for security). However I am curios how "safe" the actual GnuPG agent really is. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
