Hi Caprian, I'm not able to answer your main question, but I believe it is you explained. However, regarding the matter in P.S., I'm glad to inform you that such a tool exists. It is called pass [1] and it is fully integrated with GnuPG and Git. So you can backup your password like a Git repository.
There's also Android and iOS implementation of pass. Hope this helps. Regards, Sarun [1]: https://www.passwordstore.org On Tue, 26 Feb 2019, 17:47 Ciprian Dorin Craciun, <[email protected]> wrote: > Hello all! > > Given the recent survey in password managers security [1], which > concluded with their failure to properly sanitize / scrub the > sensitive data (i.e. "master key") in "running locked state", I was > wondering how does GnuPG Agent fare in this regard? > > More specifically: > * let's assume that one uses GnuPG Agent; (only for PGP;) > * the user enters the password for a particular private key; > * (one assumes that the password was used to get the private key > cryptographic material, and then scrubbed;) > * then `--max-cache-ttl` seconds passes; > * one assumes that the private key cryptographic material is now scrubbed; > > Is this expectation correct? > > > Is there some external analysis about the security of the agent with > regard to the scrubbing of both passwords and cryptographic material? > > Thanks, > Ciprian. > > > [1] > https://www.securityevaluators.com/casestudies/password-manager-hacking/ > > > > > P.S.: My interest in this subject is because I have a "custom" > password-manager implemented on-top of GnuPG, which I'm sure leaks > passwords all over the place (because it's written in Bash, and uses > various X tools, none made for security). However I am curios how > "safe" the actual GnuPG agent really is. > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users >
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
