[pass] pass security
Kjetil Torgrim Homme
kjetil.homme at redpill-linpro.com
Wed Jan 21 11:19:40 CET 2015
On 01/21/2015 05:52 AM, Dimitris Zervas wrote:
> Hello,
>
> First of all, I am sorry, because i guess that these questions have been asked a lot, but I failed to dig them from google.
> I want to use pass, but I am concerned about the security.
> 1. Why do you use asymmetric and not a symmetric algorithm? I haven't seen any disk encryption system use public-private key.
as Lucas Hoffman says, public key cryptography would be too
computationally expensive to use for a disk encryption system. indeed,
PGP/GPG does not use it for the full content. instead it creates a
random symmetric key which it encrypts the content with, and then it
encrypts that key with public key. (this is also why encrypting a file
to several public keys will not make it N times larger.)
> 2. What about pipes? Are they safe? Can't someone read all the plaintext?
root or Administrator on your computer will always be able to monitor
you, either through RAM or via sniffing keyboard events. this is holds
for every solution based on passwords.
> 3. What about swap? Plaintext might be saved in swap and stay on the disk forever.
you should not be using un-encrypted swap, but this is quite unlikely
since pass is a very lightweight program.
> 4. Why clipboard? Isn't auto-typing safer?
it might be safer, but it would be very hard to implement and awkward to
use.
--
Kjetil T. Homme
Redpill Linpro - Changing the game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150121/f6301d8d/attachment.asc>
More information about the Password-Store
mailing list