On Jan 12, 2011, at 10:54 PM, Robert J. Hansen wrote:
> When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you)
> takes a snapshot of memory contents and writes it to disk. This can be a
> really big problem, since encryption keys, passphrases, and so forth are
> written out in the process. For instance, if you have gpg-agent set up to
> cache your passphrase, your passphrase will probably be written to the
> hibernation file, unless the GnuPG devs have taken heroic measures to prevent
> this.
We've taken some measures, but they are not infallible (it's hard for them to
be infallible since hibernation can happen at a layer below us - and we don't
necessarily get any notification in userspace that we're about to be
suspended). In short, don't count on GnuPG alone to save you here.
The manual mentions this:
Note also that some systems (especially laptops) have the ability to
``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
This writes all memory to disk before going into a low power or even
powered off mode. Unless measures are taken in the operating system to
protect the saved memory, passphrases or other sensitive material may
be recoverable from it later.
So GnuPG can't do this alone, but there are ways to configure GnuPG alongside
other packages and/or the OS to be safe(r) here. For example, if you can
arrange to run some commands as you are hibernating, you could get gpg-agent to
dump its passphrase, etc.
This is similar in many ways to the old "key material ending up in swap"
problem, though that was considerably easier to deal with since userspace had
the necessary tools so GnuPG could handle the whole problem by itself.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
