[pass] pass security
Lorenz Weber
mail at lenzw.de
Wed Jan 21 15:22:24 CET 2015
Am 21.01.2015 um 11:19 schrieb Kjetil Torgrim Homme:
> On 01/21/2015 05:52 AM, Dimitris Zervas wrote:
>> Hello,
>>
>> First of all, I am sorry, because i guess that these questions have been asked a lot, but I failed to dig them from google. I want to use pass, but I am concerned about the security. 1. Why do you use asymmetric and not a symmetric algorithm? I haven't seen any disk encryption system use public-private key.
>
> as Lucas Hoffman says, public key cryptography would be too computationally expensive to use for a disk encryption system. indeed, PGP/GPG does not use it for the full content. instead it creates a random symmetric key which it encrypts the content with, and then it encrypts that key with public key. (this is also why encrypting a file to several public keys will not make it N times larger.)
>
>> 2. What about pipes? Are they safe? Can't someone read all the plaintext?
>
> root or Administrator on your computer will always be able to monitor you, either through RAM or via sniffing keyboard events. this is holds for every solution based on passwords.
>
>> 3. What about swap? Plaintext might be saved in swap and stay on the disk forever.
>
> you should not be using un-encrypted swap, but this is quite unlikely since pass is a very lightweight program.
>
>> 4. Why clipboard? Isn't auto-typing safer?
>
> it might be safer, but it would be very hard to implement and awkward to use.
>
passmenu for dmenu does this, so you can also use auto-typing. For the use of
"plain" pass on the command line, I agree, it would be awkward.
>
>
> _______________________________________________ Password-Store mailing list Password-Store at lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/password-store
>
More information about the Password-Store
mailing list