Les Schaffer <[EMAIL PROTECTED]> writes: > so i am curious. so long as i drop all reference to the passphrase > string(s), eventually it gets garbage collected and the memory recycled. > so "before long" the phrase is gone from memory. > > is there a best practice way to do this?
You can't rely on anything like that, either on the Python GC side or from the OS (which might have long since written the passphrase out to the swap disk) without special arrangement. Some OS's have system calls to lock user pages in memory and prevent swapping, and GPG tries to use them. "Best practice" if you're doing a high security app involves using special hardware modules to wrap the keys. The relevant standard is FIPS 140-2, with FIPS-140-3 in preparation: http://csrc.nist.gov/cryptval/140-2.htm http://csrc.nist.gov/cryptval/140-3.htm For most purposes (e.g. some random web service), this stuff is overkill, though. -- http://mail.python.org/mailman/listinfo/python-list