GNU bug report logs -
#15552
24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
Previous Next
Reported by: Teodor Zlatanov <tzz <at> lifelogs.com>
Date: Mon, 7 Oct 2013 17:58:01 UTC
Severity: normal
Tags: notabug
Found in version 24.3.50
Done: Daiki Ueno <ueno <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 15552 in the body.
You can then email your comments to 15552 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Mon, 07 Oct 2013 17:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Teodor Zlatanov <tzz <at> lifelogs.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Mon, 07 Oct 2013 17:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
1. On the local system, install GnuPG 2.x and don't run the gpg-agent
2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
3. Open file.gpg: password dialog pops up
4. close file.gpg
5. Open file.gpg: password dialog pops up again
Step (5) should not prompt. It works properly with GnuPG 1.x.
In GNU Emacs 24.3.50.2 (x86_64-unknown-linux-gnu, GTK+ Version 3.4.4)
of 2013-09-20 on flea.lifelogs.com
Bzr revision: 114415 rgm <at> gnu.org-20130921005207-1eq49miu7feptu8i
Windowing system distributor `The X.Org Foundation', version 11.0.11304000
System Description: Gentoo Base System release 2.2
Added tag(s) notabug.
Request was from
Daiki Ueno <ueno <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Mon, 07 Oct 2013 23:42:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Daiki Ueno <ueno <at> gnu.org>:
You have taken responsibility.
(Mon, 07 Oct 2013 23:42:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Teodor Zlatanov <tzz <at> lifelogs.com>:
bug acknowledged by developer.
(Mon, 07 Oct 2013 23:42:03 GMT)
Full text and
rfc822 format available.
Message #12 received at 15552-done <at> debbugs.gnu.org (full text, mbox):
tags 15552 notabug
thanks
Teodor Zlatanov <tzz <at> lifelogs.com> writes:
> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
> 3. Open file.gpg: password dialog pops up
> 4. close file.gpg
> 5. Open file.gpg: password dialog pops up again
>
> Step (5) should not prompt. It works properly with GnuPG 1.x.
That's intended behavior. It is documented and I stated a number of
times the reason and why I chose such a lengthy name of the variable and
the default is nil:
1. Emacs heap is not so secure
2. Using Emacs for password input degrades the security
You never hear or remember.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 00:47:01 GMT)
Full text and
rfc822 format available.
Message #15 received at 15552 <at> debbugs.gnu.org (full text, mbox):
On Tue, 08 Oct 2013 08:41:40 +0900 Daiki Ueno <ueno <at> gnu.org> wrote:
DU> tags 15552 notabug
DU> thanks
DU> Teodor Zlatanov <tzz <at> lifelogs.com> writes:
>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>> 3. Open file.gpg: password dialog pops up
>> 4. close file.gpg
>> 5. Open file.gpg: password dialog pops up again
>>
>> Step (5) should not prompt. It works properly with GnuPG 1.x.
DU> That's intended behavior. It is documented and I stated a number of
DU> times the reason and why I chose such a lengthy name of the variable and
DU> the default is nil:
DU> 1. Emacs heap is not so secure
DU> 2. Using Emacs for password input degrades the security
(please note I opened this at Stefan's request; I knew you wouldn't be
interested in resolving it)
I appreciate your concern for security, but the behavior is broken from
a user's perspective and you make no effort to help at the time the
issue occurs. You could, for instance, check the GnuPG version and be
helpful.
At least fix the docstring and maybe emit a message to be helpful about
it. There's no mention that it breaks with GnuPG 2.x:
epa-file-cache-passphrase-for-symmetric-encryption is a variable defined in `epa-file.el'.
Its value is t
Original value was nil
Documentation:
If non-nil, cache passphrase for symmetric encryption.
For security reasons, this option is turned off by default and
not recommended to use. Instead, consider using public-key
encryption with gpg-agent which does the same job in a safer
way.
DU> You never hear or remember.
Right, thanks again.
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 03:15:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 15552 <at> debbugs.gnu.org (full text, mbox):
>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>> 3. Open file.gpg: password dialog pops up
>> 4. close file.gpg
>> 5. Open file.gpg: password dialog pops up again
>> Step (5) should not prompt. It works properly with GnuPG 1.x.
> That's intended behavior.
Could you give the rationale for it?
> It is documented and I stated a number of times the reason and why
> I chose such a lengthy name of the variable and the default is nil:
I understand why it is nil by default, but if the user sets it to t,
presumably he doesn't care about the fact that storing the password in
Emacs heap is insecure. So why does 5 prompt the user, even tho he
specifically asked for Emacs to cache the password?
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 07:04:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 15552 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>> 3. Open file.gpg: password dialog pops up
>>> 4. close file.gpg
>>> 5. Open file.gpg: password dialog pops up again
>>> Step (5) should not prompt. It works properly with GnuPG 1.x.
>> That's intended behavior.
>
> Could you give the rationale for it?
When gpg-agent is not properly set up as a daemon, gpg2 invokes
gpg-agent internally for each session. In the above case, there are two
gpg2 sessions (two "Open") and thus there are two gpg-agent processes,
which don't share the passphrase.
>> It is documented and I stated a number of times the reason and why
>> I chose such a lengthy name of the variable and the default is nil:
>
> I understand why it is nil by default, but if the user sets it to t,
> presumably he doesn't care about the fact that storing the password in
> Emacs heap is insecure.
When epg.el was written, the intention of the option was the last resort
for those who only have gpg1 and can't use gpg-agent. Since then, I've
recommended to migrate to more secure way (i.e. using gpg-agent).
Given that gpg-agent (gpg2) is now available everywhere, I think there's
no reason to advertise the use of this variable, although at some point
a few people (afaik, only Ted) started exploiting this option to provide
degraded security for usability.
So the question is, would we really like to proactively support such a
degraded security in Emacs?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 10:48:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 15552 <at> debbugs.gnu.org (full text, mbox):
On Tue, 08 Oct 2013 16:03:22 +0900 Daiki Ueno <ueno <at> gnu.org> wrote:
DU> Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>> It is documented and I stated a number of times the reason and why
>>> I chose such a lengthy name of the variable and the default is nil:
>>
>> I understand why it is nil by default, but if the user sets it to t,
>> presumably he doesn't care about the fact that storing the password in
>> Emacs heap is insecure.
DU> When epg.el was written, the intention of the option was the last resort
DU> for those who only have gpg1 and can't use gpg-agent. Since then, I've
DU> recommended to migrate to more secure way (i.e. using gpg-agent).
OK, so at least note it in the variable docstring.
DU> Given that gpg-agent (gpg2) is now available everywhere, I think there's
DU> no reason to advertise the use of this variable, although at some point
DU> a few people (afaik, only Ted) started exploiting this option to provide
DU> degraded security for usability.
I believe several use it, based on auth-source.el related issues. But I
haven't kept a list.
DU> So the question is, would we really like to proactively support such a
DU> degraded security in Emacs?
Since you've moved beyond the issue at hand, I think we should start
with considering whether one security model fits all users. Surely you
agree that this is not as clear as your question makes it sound, and
that at least some of the risk assessment should be up to the user?
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 17:18:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 15552 <at> debbugs.gnu.org (full text, mbox):
>>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>>> 3. Open file.gpg: password dialog pops up
>>>> 4. close file.gpg
>>>> 5. Open file.gpg: password dialog pops up again
>>>> Step (5) should not prompt. It works properly with GnuPG 1.x.
>>> That's intended behavior.
>> Could you give the rationale for it?
> When gpg-agent is not properly set up as a daemon, gpg2 invokes
> gpg-agent internally for each session. In the above case, there are two
> gpg2 sessions (two "Open") and thus there are two gpg-agent processes,
> which don't share the passphrase.
That explains technically why gpg prompts twice, but it doesn't indicate
that this implementation was designed specifically so that step
5 prompts again. I.e. it's not "intended behavior", but rather
"expected behavior" due to implementation choices.
Still I'm confused: what kind of caching does
epa-file-cache-passphrase-for-symmetric-encryption offer, then?
From the docstring I got the impression that it would cache the
passphrase in Emacs's heap, so gpg's own caching should be largely
irrelevant (in the second session it will prompt for a password, which
Emacs should provide from its own cache without prompting the user).
Stefan "Also confused about what "symmetric" has to do with it"
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Tue, 08 Oct 2013 21:53:01 GMT)
Full text and
rfc822 format available.
Message #30 received at 15552 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>>>> 3. Open file.gpg: password dialog pops up
>>>>> 4. close file.gpg
>>>>> 5. Open file.gpg: password dialog pops up again
>>>>> Step (5) should not prompt. It works properly with GnuPG 1.x.
> Still I'm confused: what kind of caching does
> epa-file-cache-passphrase-for-symmetric-encryption offer, then?
> From the docstring I got the impression that it would cache the
> passphrase in Emacs's heap, so gpg's own caching should be largely
> irrelevant (in the second session it will prompt for a password, which
> Emacs should provide from its own cache without prompting the user).
It used to work like that with gpg1. However, gpg2's implementation
choice is that it does not leak the indication that gpg2 (actually
gpg-agent) requires passphrase and it does not allow other tools than
pinentry to inject passphrase.
IMO that's a good idea for security (as pinentry uses secmem).
> Stefan "Also confused about what "symmetric" has to do with it"
Perhaps you could try the above recipe under gpg-agent is properly set up:
$ echo abc > file
$ gpg --symmetric file
$ eval `gpg-agent --daemon`
$ gpg2 < file.gpg
$ gpg2 < file.gpg
You won't be asked for the passphrase at the second time, because
gpg-agent remembers passphrase based on the file content.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Wed, 09 Oct 2013 03:03:02 GMT)
Full text and
rfc822 format available.
Message #33 received at 15552 <at> debbugs.gnu.org (full text, mbox):
> It used to work like that with gpg1. However, gpg2's implementation
> choice is that it does not leak the indication that gpg2 (actually
> gpg-agent) requires passphrase and it does not allow other tools than
> pinentry to inject passphrase.
IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
gpg1 and not for gpg2?
> IMO that's a good idea for security (as pinentry uses secmem).
There are many situations where local security is not nearly as
important as convenience. But IIUC with gpg2 the general answer is "use
gpg-agent to do the caching", and it's supposed to work fine (i.e. it's
just as convenient as caching the password in Emacs).
>> Stefan "Also confused about what "symmetric" has to do with it"
> Perhaps you could try the above recipe under gpg-agent is properly set up:
> $ echo abc > file
> $ gpg --symmetric file
> $ eval `gpg-agent --daemon`
> $ gpg2 < file.gpg
> $ gpg2 < file.gpg
> You won't be asked for the passphrase at the second time, because
> gpg-agent remembers passphrase based on the file content.
That doesn't really explain to me why
epa-file-cache-passphrase-for-symmetric-encryption has "symmetric" in
its name and more specifically why caching of passphrases would be
different for symmetric than for public key cryptography.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Wed, 09 Oct 2013 03:54:02 GMT)
Full text and
rfc822 format available.
Message #36 received at 15552 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> It used to work like that with gpg1. However, gpg2's implementation
>> choice is that it does not leak the indication that gpg2 (actually
>> gpg-agent) requires passphrase and it does not allow other tools than
>> pinentry to inject passphrase.
>
> IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
> gpg1 and not for gpg2?
s/works/has no effect/
>> IMO that's a good idea for security (as pinentry uses secmem).
>
> There are many situations where local security is not nearly as
> important as convenience. But IIUC with gpg2 the general answer is "use
> gpg-agent to do the caching", and it's supposed to work fine (i.e. it's
> just as convenient as caching the password in Emacs).
In this bug report, the reporter intentionally does not set up gpg-agent
for his login session. Even the GnuPG 2.x manual spends one chapter on
setting up gpg-agent before the chapter on gpg command itself.
>>> Stefan "Also confused about what "symmetric" has to do with it"
>> Perhaps you could try the above recipe under gpg-agent is properly set up:
>> $ echo abc > file
>> $ gpg --symmetric file
>> $ eval `gpg-agent --daemon`
>> $ gpg2 < file.gpg
>> $ gpg2 < file.gpg
>> You won't be asked for the passphrase at the second time, because
>> gpg-agent remembers passphrase based on the file content.
>
> That doesn't really explain to me why
> epa-file-cache-passphrase-for-symmetric-encryption has "symmetric" in
> its name and more specifically why caching of passphrases would be
> different for symmetric than for public key cryptography.
I didn't get the question correctly, then.
Look at the matrix of (info "(epa) Caching Passphrases"), check when a
user is suggested to "set up elisp passphrase cache".
Anyway, the name is not so important to me, as long as it discourages
the use of the variable, so it could be
e.g. epg-file-yo-mama-wears-fancy-glasses-detection-enabled.
https://news.ycombinator.com/item?id=6372466
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Wed, 09 Oct 2013 09:33:01 GMT)
Full text and
rfc822 format available.
Message #39 received at 15552 <at> debbugs.gnu.org (full text, mbox):
On Wed, 09 Oct 2013 12:53:14 +0900 Daiki Ueno <ueno <at> gnu.org> wrote:
DU> I didn't get the question correctly, then.
DU> Look at the matrix of (info "(epa) Caching Passphrases"), check when a
DU> user is suggested to "set up elisp passphrase cache".
DU> Anyway, the name is not so important to me, as long as it discourages
DU> the use of the variable, so it could be
DU> e.g. epg-file-yo-mama-wears-fancy-glasses-detection-enabled.
DU> https://news.ycombinator.com/item?id=6372466
Since it still works as described for GnuPG 1.x, please fix the
variable's docstring to mention that it doesn't work with 2.x. You
could also add a reference to the manual page as shown above, and in the
manual you could synchronize the variable description with the
docstring, also adding the xref:
@defvar epa-file-cache-passphrase-for-symmetric-encryption
If non-@code{nil}, cache passphrase for symmetric encryption. The
default value is @code{nil}.
@end defvar
Right now, you have to read the whole manual or search for the variable
name specifically to find that table. It's not a big manual but it's
still nice to the user.
Thanks
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Wed, 09 Oct 2013 12:41:01 GMT)
Full text and
rfc822 format available.
Message #42 received at 15552 <at> debbugs.gnu.org (full text, mbox):
>>> It used to work like that with gpg1. However, gpg2's implementation
>>> choice is that it does not leak the indication that gpg2 (actually
>>> gpg-agent) requires passphrase and it does not allow other tools than
>>> pinentry to inject passphrase.
>> IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
>> gpg1 and not for gpg2?
> s/works/has no effect/
Same difference. The docstring should prominently say that this var
doesn't work with gpg2 because gpg2 does not let Emacs cache the
passphrase (IIUC we can't make this var effective without changes in
gpg2).
> I didn't get the question correctly, then.
> Look at the matrix of (info "(epa) Caching Passphrases"), check when a
> user is suggested to "set up elisp passphrase cache".
That repeats the fact that symmetric encryption is handled differently
but still doesn't help me understand why.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Thu, 10 Oct 2013 03:09:02 GMT)
Full text and
rfc822 format available.
Message #45 received at 15552 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
> The docstring should prominently say that this var doesn't work with
> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
> can't make this var effective without changes in gpg2).
OK, I'll add it, though I'd also like to add a note saying that setting
this variable for gpg2 is kind of nonsense.
>> I didn't get the question correctly, then. Look at the matrix of
>> (info "(epa) Caching Passphrases"), check when a user is suggested to
>> "set up elisp passphrase cache".
>
> That repeats the fact that symmetric encryption is handled differently
> but still doesn't help me understand why.
Because passphrase caching feature for symmetric encryption is rather
new and not supported by gpg1 (yet).
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Thu, 10 Oct 2013 13:26:02 GMT)
Full text and
rfc822 format available.
Message #48 received at submit <at> debbugs.gnu.org (full text, mbox):
On Thu, 10 Oct 2013 12:08:39 +0900 Daiki Ueno <ueno <at> gnu.org> wrote:
DU> Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> The docstring should prominently say that this var doesn't work with
>> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
>> can't make this var effective without changes in gpg2).
DU> OK, I'll add it, though I'd also like to add a note saying that setting
DU> this variable for gpg2 is kind of nonsense.
As the user, I want a single setting across all my systems, so I don't
know in advance if gpg1, gpg2, or both will be installed. I could add
an explicit version check in my init file, but maybe epg.el could issue
a warning if it detects that situation, just to be helpful?
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Thu, 10 Oct 2013 14:32:02 GMT)
Full text and
rfc822 format available.
Message #51 received at submit <at> debbugs.gnu.org (full text, mbox):
>>> The docstring should prominently say that this var doesn't work with
>>> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
>>> can't make this var effective without changes in gpg2).
DU> OK, I'll add it, though I'd also like to add a note saying that setting
DU> this variable for gpg2 is kind of nonsense.
> As the user, I want a single setting across all my systems, so I don't
> know in advance if gpg1, gpg2, or both will be installed. I could add
> an explicit version check in my init file, but maybe epg.el could issue
> a warning if it detects that situation, just to be helpful?
IIUC, for gpg2 this var has no effect whatsoever, so if you want
password caching you need to setup gpg-agent: nothing Emacs can do
about it.
So the "single setting" is: set this var (for those systems that use
gpg1) and setup gpg-agent (on those systems that have gpg2).
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#15552; Package
emacs.
(Thu, 10 Oct 2013 14:33:01 GMT)
Full text and
rfc822 format available.
Message #54 received at 15552 <at> debbugs.gnu.org (full text, mbox):
>> That repeats the fact that symmetric encryption is handled differently
>> but still doesn't help me understand why.
> Because passphrase caching feature for symmetric encryption is rather
> new and not supported by gpg1 (yet).
Ah? I wonder why, but at least that does explain why epg handles
it specially.
Stefan
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 08 Nov 2013 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 11 years and 229 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.