GPG or Enigmail caching passphrase without asking

brian's Avatar

brian

23 Nov, 2017 04:13 PM

For some strange reason GPG and Enigmail now cache my secret-key passphrase in the MacOS keyring in spite of me deleting it every time. I don't remember interacting with a dialog to cache my passphrase. I would never do that. I don't want my passphrase anywhere but in my head. Now I cannot disable this behavior. I don't see anything in gpg.conf that would indicate I want my passphrase cached.

Is this a new feature, a bug, or a config error on my part?

MacOS: 10.12.6
Thunderbird: 52.4.0
Enigmail: 1.9.8.3
GPG: 2.2.0
libcrypt: 1.8.1

Thanks in advance.

Brian

  1. Support Staff 1 Posted by Luke Le on 09 Dec, 2017 10:47 PM

    Luke Le's Avatar

    Hi Brian,

    this is a change we have introduced in the latest version of GPG Suite, since we found that it makes it much easier for most of our users.
    You can quickly disable this feature in System Preferences -> GPG Suite.

    Hope that helps.

  2. 2 Posted by brian on 09 Dec, 2017 11:26 PM

    brian's Avatar

    On Sat, Dec 9, 2017 at 4:47 PM, Luke Le <[email blocked]>
    wrote:

    > // Please reply above this line
    >

    I understand. From a security PoV (and GPG is all about security) this is a
    bad idea. The passphrase should NEVER be stored in the clear. Period. End
    of report. And yes, it is in the clear if someone has the passphrase to the
    keyring.

  3. 3 Posted by brian on 10 Dec, 2017 01:12 AM

    brian's Avatar

    I understand. From a security PoV (and GPG is all about security) this is a
    bad idea. The passphrase should NEVER be stored in the clear. Period. End
    of report. And yes, it is in the clear if someone has the passphrase to the
    keyring.

  4. Support Staff 4 Posted by Luke Le on 10 Dec, 2017 11:01 AM

    Luke Le's Avatar

    Hi Brian,

    what exactly do you mean by stored in the clear? The passphrase is stored in macOS's Keychain (encrypted, with your macOS user's password). Of course, if an attacker has access to your computer and account, they would be able to extract the passphrase. At the same time, they could intercept your passphrase when you enter it (it might take a little longer).

    We are considering to set this default differently in the future, where the first time pinentry asks for a passphrase, the user is introduced to the advantages and disadvantages of storing the passphrase.

  5. 5 Posted by brian on 10 Dec, 2017 01:26 PM

    brian's Avatar

    Anyone with the user's password for the keyring has access to the cleartext
    version of the user's passphrase. This is a level of security barely above
    no passphrase at all. It requires no effort, other than knowing the user's
    login password, to compromise the passphrase for the PK. The whole idea is
    that the passphrase is not stored in the system but used immediately to
    gain access to the user's PK. Even making storing the passphrase for a
    short period of time is uncomfortable but I do understand that. Storing the
    passphrase in the user's password keyring is just ... wrong.

    Yes, set the default differently. Make it difficult to set this very bad
    policy. Warn them multiple times. Make them say, "I want to store the
    passphrase but I know this is a very bad idea," 100 times.

  6. Steve closed this discussion on 28 Mar, 2018 01:15 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac