Hi, Am Montag 25 Mai 2026 06:36:55 schrieb marqueandreprisal--- via Gnupg-users: > How would this fine community recommend to make a standardized comment > about keys being used in unsecure environments. For example buying an > android™ off of the shelf and using keys with GnuPG Termux or Open > Keychain is not sure because androids often have swap files which may be > setup to dump memory and snag the private key.
as far as I can say a crypto component cannot tell if it is run on an "unsecure" environment or not. So even if GnuPG or Openkeychain wanted to record this, they would not be able to find out about this with reasonable certainty. Consider the example that the software is running in a virtualized environment like qemu, which is "unsecure" in the sense that qemu can observe everything. As qemu can "simulate" everything, it is not really possible to detect the fact. On the other hand, a Android system maybe run air-gapped in a confined place, with a self build kernel and everything, which would make it quite "secure". So detecting that termux was used would not make a key pair "unsecure" alone. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
