On Tue, 12 Apr 2016 03:56:17 AM Andrew McGlashan via luv-main wrote:
On 11/04/2016 4:24 PM, Brian May via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> writes:
What exactly does gpg2 offer that makes it more suitable than gpg for most usage?
I believe they rewrote gnupg-agent to actually make it secure - like ssh-agent - instead of just storing your passphase it stores the private key and denies any processes getting direct access to the unencrypted private key. This also has other advantages apart from just security.
I use 0 minutes to cache my passphrase, so that should make me safe?
It depends on what types of attack you are vulnerable to. If there is a possibility of someone observing your keyboard (or monitoring the sound of key presses if you are more paranoid) then reducing the frequency of passphrase use is good for security - IE longer cache times. If you have a device that doesn't permit root access (IE the logged in account doesn't have sudo permission) and the cache is secure (locked memory from a SUID/SGID process) then it might be better to have the cache remain for a long time. An attack on cache memory (or process address space for temporary storage of the passphrase and/or decrypted private key) is something that could hang around. As gpg is no longer SGID (when did that change happen?) it's possible for any other process under the same UID to ptrace it. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/