Re: pasting of passphrases please?

[Jens Prüfer <jens pruefer gmx de>]

Hi,

thanks for the quick response.

On Fri, 2009-08-07 at 09:59 -0400, Adam Schreiber wrote:

> My actual response is::
> 
> Comment #1 from Adam Schreiber (seahorse developer, points: 19)
> 2008-08-28 16:47 UTC [reply]
> 
> You could store the passphrase securely in gnome-keyring. You would have to
> enter it manually once and then it would be provided automatically in the
> future.
> 
> Go to System -> Preferences -> Encryption and Keyrings
> 
> On the PGP Passphrases tab, select Always remember passphrases whenever logged
> in and additionally if you want to be asked before it's provided check the box
> next to Ask me before using a cached passphrase.
> 
> which says nothing about the relative security of the requested
> feature or the provided solution.

True. I thought you implied that this was the more secure solution
compared to allowing pasting of passwords. Sorry, if I misinterpreted.
So there is no security reason to restrict cut&paste?

> > Moreover, it was suggested to use the "always remember passphrase"
> > function of the gnome keyring to only have to do this once per session.
> > Why is storing a key permanently in memory considered more secure than a
> > 20 second storage of a passphrase in case of "cut&paste" using keepassX?
> 
> I'm not familiar with keepassX, but gnome-keyring stores your secrets,
> passphrases included, in non-pagable memory when your keyring is
> unlocked and in an encrypted file in your home directory with
> appropriate permissions other wise.  I'm guessing that's similar to
> what keepassX provides.

Yes, but keepassX provides me with a cross plattform solution, so I can
use the kdb file on my USB stick under Windows, Linux and Mac (OS X).

> > Just because clipboard memory can be paged out to disk?
> 
> You might want to read a recent list post from Stef discussing
> changing the secure-entry widget currently used to a secured version
> of GtkEntry shipped in GTK+.

You mean this?

http://mail.gnome.org/archives/seahorse-list/2009-July/msg00006.html

I thought that "there is no new entry" means I still could not paste
passphrases?

> If you use a laptop and suspend or hibernate it, your memory is paged
> to the disk.

Indeed. This would also include any passphrases stored in "non pageable"
RAM, right? That is why I use dm-crypt also for my swap partition.

However, I'd have to hibernate my system within 20 seconds after
cut&pasting my passphrase to seahorse. After that, memory is scrubbed by
keepass. I could live with that restriction.

Cheers

Jens