[pass] pass security

Lorenz Weber mail at lenzw.de
Wed Jan 21 15:22:24 CET 2015


Am 21.01.2015 um 11:19 schrieb Kjetil Torgrim Homme:
> On 01/21/2015 05:52 AM, Dimitris Zervas wrote:
>> Hello,
>> 
>> First of all, I am sorry, because i guess that these questions have been asked a lot, but I failed to dig them from google. I want to use pass, but I am concerned about the security. 1. Why do you use asymmetric and not a symmetric algorithm? I haven't seen any disk encryption system use public-private key.
> 
> as Lucas Hoffman says, public key cryptography would be too computationally expensive to use for a disk encryption system.  indeed, PGP/GPG does not use it for the full content.  instead it creates a random symmetric key which it encrypts the content with, and then it encrypts that key with  public key.  (this is also why encrypting a file to several public keys will not make it N times larger.)
> 
>> 2. What about pipes? Are they safe? Can't someone read all the plaintext?
> 
> root or Administrator on your computer will always be able to monitor you, either through RAM or via sniffing keyboard events.  this is holds for every solution based on passwords.
> 
>> 3. What about swap? Plaintext might be saved in swap and stay on the disk forever.
> 
> you should not be using un-encrypted swap, but this is quite unlikely since pass is a very lightweight program.
> 
>> 4. Why clipboard? Isn't auto-typing safer?
> 
> it might be safer, but it would be very hard to implement and awkward to use.
> 

passmenu for dmenu does this, so you can also use auto-typing. For the use of
"plain" pass on the command line, I agree, it would be awkward.

> 
> 
> _______________________________________________ Password-Store mailing list Password-Store at lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/password-store
> 



More information about the Password-Store mailing list