On Thu, 27 Jul 2017 14:23:44 +0200 Peter Lebbing <pe...@digitalbrains.com> wrote:
> Now let's get on to a passphrase manager and GnuPG specifically. A > different way to look at it is this: would you use GnuPG to protect > your passphrase manager? This is actually a feature request I've seen > multiple times: please provide a way to use my OpenPGP key to unlock > my passphrase manager. In that way, the security of the passphrase > manager is utterly dependent on the security of GnuPG. Crack GnuPG, > and the passphrase manager falls immediately as well. This is precisely what 'pass' (1) does. I never looked back since I started using it. Of note also the fact pass is not a a compiled program, but instead a shell script smartly wrapping GnuPG functionality into the shape of a password manager. For this reason, I don't know if anyone ever ported the idea to Windows, but from what little I remember of Powershell, it would be perfectly doable. I use pass with rofi-pass to facilitate the integration with browsers and applications, allowing me to quickly enter passwords without typing them into any type of program that accepts keyboard input from the clipboard. And without *any* need for plugins of any sort on those pesky browsers. > and those who would store their GnuPG passphrases in a > passphrase manager. This indeed is not so bad if is also GnuPG that is handling your password manager. Although, I'd agree that is one thing to discover the GnuPG passphrase for a password manager and it is another thing to also discover that you now have the victim passwords for the remainder GnuPG keys accessible to you. But there are other considerations. Who am I? What I do in life? Who are my enemies? Depending on how good we are answering these questions in a rational way, I find that a large part of the general population has little to no reason to fear storing sensitive GnuPG specific data in their personal entirely-offline password store. As an FYI, I do not store the actual passphrases, but I do store the 0-type revocation certificates with 'pass'. I don't feel that threatening and it tremendously facilitates things for someone without any access to reliable and secure physical storage. There is no reason why I couldn't store the passphrases also. I will eventually, the day I start fearing my brain. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121
pgpN1j6KSB9Nz.pgp
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users