GPG or Enigmail caching passphrase without asking
For some strange reason GPG and Enigmail now cache my secret-key passphrase in the MacOS keyring in spite of me deleting it every time. I don't remember interacting with a dialog to cache my passphrase. I would never do that. I don't want my passphrase anywhere but in my head. Now I cannot disable this behavior. I don't see anything in gpg.conf that would indicate I want my passphrase cached.
Is this a new feature, a bug, or a config error on my part?
MacOS: 10.12.6
Thunderbird: 52.4.0
Enigmail: 1.9.8.3
GPG: 2.2.0
libcrypt: 1.8.1
Thanks in advance.
Brian
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Luke Le on 09 Dec, 2017 10:47 PM
Hi Brian,
this is a change we have introduced in the latest version of GPG Suite, since we found that it makes it much easier for most of our users.
You can quickly disable this feature in System Preferences -> GPG Suite.
Hope that helps.
2 Posted by brian on 09 Dec, 2017 11:26 PM
On Sat, Dec 9, 2017 at 4:47 PM, Luke Le <[email blocked]>
wrote:
> // Please reply above this line
>
I understand. From a security PoV (and GPG is all about security) this is a
bad idea. The passphrase should NEVER be stored in the clear. Period. End
of report. And yes, it is in the clear if someone has the passphrase to the
keyring.
3 Posted by brian on 10 Dec, 2017 01:12 AM
I understand. From a security PoV (and GPG is all about security) this is a
bad idea. The passphrase should NEVER be stored in the clear. Period. End
of report. And yes, it is in the clear if someone has the passphrase to the
keyring.
Support Staff 4 Posted by Luke Le on 10 Dec, 2017 11:01 AM
Hi Brian,
what exactly do you mean by stored in the clear? The passphrase is stored in macOS's Keychain (encrypted, with your macOS user's password). Of course, if an attacker has access to your computer and account, they would be able to extract the passphrase. At the same time, they could intercept your passphrase when you enter it (it might take a little longer).
We are considering to set this default differently in the future, where the first time pinentry asks for a passphrase, the user is introduced to the advantages and disadvantages of storing the passphrase.
5 Posted by brian on 10 Dec, 2017 01:26 PM
Anyone with the user's password for the keyring has access to the cleartext
version of the user's passphrase. This is a level of security barely above
no passphrase at all. It requires no effort, other than knowing the user's
login password, to compromise the passphrase for the PK. The whole idea is
that the passphrase is not stored in the system but used immediately to
gain access to the user's PK. Even making storing the passphrase for a
short period of time is uncomfortable but I do understand that. Storing the
passphrase in the user's password keyring is just ... wrong.
Yes, set the default differently. Make it difficult to set this very bad
policy. Warn them multiple times. Make them say, "I want to store the
passphrase but I know this is a very bad idea," 100 times.
Steve closed this discussion on 28 Mar, 2018 01:15 PM.