Passphrase Caching
51 views
Skip to first unread message
Lukas Budach
Aug 25, 2021, 6:19:32 AM8/25/21
to python-gnupg
First of all: I used gpg version 2.2.4, so I am aware that this is not 1.14.x which you fully support. That being said, I believe this is something that may still be of interest.
GnuPG has passphrase caching enabled by default it seems. Using python-gnupg to decrypt data and passing a passphrase seems to default back to this cached passphrase before using the one passed. This (hidden) behavior can cause the appearance of a backdoor, allowing the decryption of data without knowing the correct passphrase.
I spent two days debugging this, thinking it may have been caused by using different versions of GPG to generate the keys and use them, so I think this might be worth documenting in some way despite the fact that it is likely GPG behavior and not the fault of this wrapper.
If you have any follow-up questions, I'd be happy to answer them.
GnuPG has passphrase caching enabled by default it seems. Using python-gnupg to decrypt data and passing a passphrase seems to default back to this cached passphrase before using the one passed. This (hidden) behavior can cause the appearance of a backdoor, allowing the decryption of data without knowing the correct passphrase.
I spent two days debugging this, thinking it may have been caused by using different versions of GPG to generate the keys and use them, so I think this might be worth documenting in some way despite the fact that it is likely GPG behavior and not the fault of this wrapper.
If you have any follow-up questions, I'd be happy to answer them.
Vinay Sajip
Aug 25, 2021, 6:38:50 AM8/25/21
to python-gnupg
Thanks for the info, I'll see about updating the documentation - but if would be useful for users to know how to disable the cache. Were you able to disable the caching using default-cache-ttl and/or max-cache-ttl in the GnuPG configuration?
Lukas Budach
Aug 25, 2021, 7:10:35 AM8/25/21
to python-gnupg
Amazingly quick reaction!
Yes, I added the gpg-agent.conf file to my GPG home and added the two lines
default-cache-ttl 0
max-cache-ttl 0
That disabled caching (set the time passphrases are cached for to 0). Maybe only setting one of the two would work, I didn't try that out though, since they are usually mentioned together anyways.
Additionally, I played around with clearing the cache, but that seemed to only work when using the default GPG home (~/.gnupg) and not when using a custom location.
Command for that is echo RELOADAGENT | gpg-connect-agent
Yes, I added the gpg-agent.conf file to my GPG home and added the two lines
default-cache-ttl 0
max-cache-ttl 0
That disabled caching (set the time passphrases are cached for to 0). Maybe only setting one of the two would work, I didn't try that out though, since they are usually mentioned together anyways.
Additionally, I played around with clearing the cache, but that seemed to only work when using the default GPG home (~/.gnupg) and not when using a custom location.
Command for that is echo RELOADAGENT | gpg-connect-agent
Vinay Sajip
Aug 25, 2021, 12:40:22 PM8/25/21
to python-gnupg
I've updated the documentation, see https://docs.red-dove.com/python-gnupg/index.html#caching-warning - this should be in the next release.
Reply all
Reply to author
Forward
0 new messages