Re: pasting of passphrases please?
- From: Jens Prüfer <jens pruefer gmx de>
- To: Adam Schreiber <sadam gnome org>
- Cc: seahorse-list gnome org
- Subject: Re: pasting of passphrases please?
- Date: Fri, 07 Aug 2009 16:33:52 +0200
Hi,
thanks for the quick response.
On Fri, 2009-08-07 at 09:59 -0400, Adam Schreiber wrote:
> My actual response is::
>
> Comment #1 from Adam Schreiber (seahorse developer, points: 19)
> 2008-08-28 16:47 UTC [reply]
>
> You could store the passphrase securely in gnome-keyring. You would have to
> enter it manually once and then it would be provided automatically in the
> future.
>
> Go to System -> Preferences -> Encryption and Keyrings
>
> On the PGP Passphrases tab, select Always remember passphrases whenever logged
> in and additionally if you want to be asked before it's provided check the box
> next to Ask me before using a cached passphrase.
>
> which says nothing about the relative security of the requested
> feature or the provided solution.
True. I thought you implied that this was the more secure solution
compared to allowing pasting of passwords. Sorry, if I misinterpreted.
So there is no security reason to restrict cut&paste?
> > Moreover, it was suggested to use the "always remember passphrase"
> > function of the gnome keyring to only have to do this once per session.
> > Why is storing a key permanently in memory considered more secure than a
> > 20 second storage of a passphrase in case of "cut&paste" using keepassX?
>
> I'm not familiar with keepassX, but gnome-keyring stores your secrets,
> passphrases included, in non-pagable memory when your keyring is
> unlocked and in an encrypted file in your home directory with
> appropriate permissions other wise. I'm guessing that's similar to
> what keepassX provides.
Yes, but keepassX provides me with a cross plattform solution, so I can
use the kdb file on my USB stick under Windows, Linux and Mac (OS X).
> > Just because clipboard memory can be paged out to disk?
>
> You might want to read a recent list post from Stef discussing
> changing the secure-entry widget currently used to a secured version
> of GtkEntry shipped in GTK+.
You mean this?
http://mail.gnome.org/archives/seahorse-list/2009-July/msg00006.html
I thought that "there is no new entry" means I still could not paste
passphrases?
> If you use a laptop and suspend or hibernate it, your memory is paged
> to the disk.
Indeed. This would also include any passphrases stored in "non pageable"
RAM, right? That is why I use dm-crypt also for my swap partition.
However, I'd have to hibernate my system within 20 seconds after
cut&pasting my passphrase to seahorse. After that, memory is scrubbed by
keepass. I could live with that restriction.
Cheers
Jens
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]