On 2005-10-09 11:03:25 -0400, Derek Martin wrote: > Well, this is very far from my area of expertise; but we all know > someone for whom this kind of issue is near and dear... Does > Werner have anything to say about this? I could do some > research, but I think it would be better to get input from > someone with more experience. FWIW, how does GPG handle this > problem? You can run gpg setuid root so the memory that is used for sensitive information is locked. That helps against having the sensitive information in your swap partition. > I admit, at first glance methods of solving this seem... yucky. > For example, locking memory (so that it does not swap to disk) > requires root privileges on most platforms... making mutt SUID > root seems like a very bad idea. But perhaps mutt could have its > own passphrase agent. In that case, why not re-use gpg's? > In the end, you have a point; methods of attacking the passphrase > in memory require the ability to either assume the user's > privileges, or assume root privileges. If an attacker can do > that, most likely all bets are off anyway. For example, if a > rogue sysadmin were so inclined, he could install a trojaned mutt > which collects private key passphrases. > Still, I'd like to hear what others with more experience than I > have to say about this issue. I think it would be somewhat > reassuring for users who don't control the system(s) on which > they use mutt, and don't have access to gpgagent, if some attempt > at solving this was made. If you don't control a system and don't trust the people who control it, then, please, don't process sensitive information on it. This also applies, by the way, to running gpg-agent or gpg on such systems. Regards, -- Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.
Attachment:
pgpMSvLpGcfD7.pgp
Description: PGP signature