[pass] pass security

[Jason A. Donenfeld]

On Wed, Jan 21, 2015 at 5:52 AM, Dimitris Zervas <dzervas at dzervas.gr> wrote:
> 1. Why do you use asymmetric and not a symmetric algorithm? I haven't seen any disk encryption system use public-private key.
This is not disk encryption. This is file encryption. A public key
configuration is used, because it fits the use case for pass. Please
see GPG documentation for more details.

> 2. What about pipes? Are they safe? Can't someone read all the plaintext?
Pipes are safe from snooping by an unprivileged user, so long as no
additional vulnerabilities are introduced.

> 3. What about swap? Plaintext might be saved in swap and stay on the disk forever.
We make use of /dev/shm when possible, for files. GPG makes use of
mprotect. Pass itself is unable to call mprotect, since it's bash
based, and this is considered a vulnerability, though an unlikely one,
considering the short life of bash scripts. The best solution however
is to run with encrypted swap.

> 4. Why clipboard? Isn't auto-typing safer?
There is an auto-typing script in the contrib/ folder, which is likely
safer. However, both clipboard and typing are equally vulnerable to
the same class of trivial X11 attacks.