From unknown Thu Aug 14 17:27:45 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#19991 <19991@debbugs.gnu.org> To: bug#19991 <19991@debbugs.gnu.org> Subject: Status: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened Reply-To: bug#19991 <19991@debbugs.gnu.org> Date: Fri, 15 Aug 2025 00:27:45 +0000 retitle 19991 24.3; insecure design or else bug: gpg passphrase persists wh= en emacs is closed and re-opened reassign 19991 emacs submitter 19991 Ed Green severity 19991 normal tag 19991 notabug thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 03 12:19:59 2015 Received: (at submit) by debbugs.gnu.org; 3 Mar 2015 17:19:59 +0000 Received: from localhost ([127.0.0.1]:34151 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YSqUA-0004qh-3y for submit@debbugs.gnu.org; Tue, 03 Mar 2015 12:19:58 -0500 Received: from eggs.gnu.org ([208.118.235.92]:54475) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YSqU7-0004qT-49 for submit@debbugs.gnu.org; Tue, 03 Mar 2015 12:19:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YSqU0-0002hs-Ek for submit@debbugs.gnu.org; Tue, 03 Mar 2015 12:19:49 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48592) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSqU0-0002ho-CZ for submit@debbugs.gnu.org; Tue, 03 Mar 2015 12:19:48 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSqTy-0002gl-TZ for bug-gnu-emacs@gnu.org; Tue, 03 Mar 2015 12:19:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YSqTv-0002gX-BA for bug-gnu-emacs@gnu.org; Tue, 03 Mar 2015 12:19:46 -0500 Received: from tr22g11a.aset.psu.edu ([128.118.146.136]:56128 helo=tr22n11a.aset.psu.edu) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSqTv-0002cW-5P for bug-gnu-emacs@gnu.org; Tue, 03 Mar 2015 12:19:43 -0500 Received: from [192.168.0.15] (c-50-149-28-122.hsd1.pa.comcast.net [50.149.28.122]) (authenticated bits=0) by tr22n11a.aset.psu.edu (8.14.3/8.14.3) with ESMTP id t23HJRTu1855636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Tue, 3 Mar 2015 12:19:32 -0500 Message-ID: <54F5ED1F.5030701@psu.edu> Date: Tue, 03 Mar 2015 12:19:27 -0500 From: Ed Green User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (barebone) [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --text follows this line-- This bug report will be sent to the Bug-GNU-Emacs mailing list and the GNU bug tracker at debbugs.gnu.org. Please check that the From: line contains a valid email address. After a delay of up to one day, you should receive an acknowledgment at that address. Please write in English if possible, as the Emacs maintainers usually do not have translators for other languages. Please describe exactly what actions triggered the bug, and the precise symptoms of the bug. If you can, give a recipe starting from `emacs -Q': --- BUG REPORT BEGINS HERE I opened emacs24 in xubuntu 14.04 with command "emacs&". In dired, I opened a gpg-encrypted file. I was prompted to supply my passphrase, after which the unencrypted text was displayed. I did not click the box labelled "Automatically unlock this key, whenever I'm logged in". Next, I closed emacs by clicking the 'x' in the corner of the window. I opened emacs in a new process with "emacs&". Again in dired, I opened a different gpg-encrypted file. The unencrypted text was immediately displayed, without my being prompted for a passphrase. Only after I re-booted the computer, was I again required to provide a passphrase in order to display decrypted text of an encrypted file. (I did so again, and repeated the test just described, prior to writing this message.) There is no notification of this behavior of the program, either on screen or in any documentation that I have been able to find. Users reasonably believe that, after they close emacs, data (including a passphrase) entered in a session will be lost. But even a user who is sufficiently prudent to close emacs after reading an encrypted file will unwittingly expose all of his/her encrypted files to being read by someone else who is able to open emacs (even remotely, I guess) on the computer, until the next time that it is re-booted. I've been using emacs for a long time to read encrypted files, without realising until now that they were being potentially exposed in that way. It seems preferable that this behavior should be changed, so that a passphrase supplied during an emacs session will be over-written in computer memory when the emacs process is terminated--and especially so that the passphrase is not automatically used when emacs is subsequently run---unless possibly the user has deliberately elected to make the passphrase to persist. (I wouldn't personally recommend that users be offered that risky option.) At the very least, if the current behavior is retained, then a clear, prominent warning about it should be given. By the way, would it also be desirable to over-write computer memory assigned to emacs buffers containing decrypted files when the buffers are closed (including when the program is closed with such a buffer open)? --- BUG REPORT ENDS HERE If Emacs crashed, and you have the Emacs process in the gdb debugger, please include the output from the following gdb commands: `bt full' and `xbacktrace'. For information about debugging Emacs, please read the file /usr/share/emacs/24.3/etc/DEBUG. In GNU Emacs 24.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.10.7) of 2014-03-07 on lamiak, modified by Debian Windowing system distributor `The X.Org Foundation', version 11.0.11501000 System Description: Ubuntu 14.04.2 LTS Configured using: `configure '--build' 'x86_64-linux-gnu' '--build' 'x86_64-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.3/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.3/site-lisp:/usr/share/emacs/site-lisp' '--with-crt-dir=/usr/lib/x86_64-linux-gnu' '--with-x=yes' '--with-x-toolkit=gtk3' '--with-toolkit-scroll-bars' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'' Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix default enable-multibyte-characters: t Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent input: x r e p o r t - u n s a f e SPC e n c r y p t i o n SPC b e h a v i o r C-x k y e s C-x 0 C-x k x r e p o r t - e Recent messages: Checking 35 files in /usr/share/emacs/24.3/lisp/erc... Checking 24 files in /usr/share/emacs/24.3/lisp/emulation... Checking 74 files in /usr/share/emacs/24.3/lisp/emacs-lisp... Checking 12 files in /usr/share/emacs/24.3/lisp/cedet... Checking 30 files in /usr/share/emacs/24.3/lisp/calendar... Checking 44 files in /usr/share/emacs/24.3/lisp/calc... Checking 40 files in /usr/share/emacs/24.3/lisp/obsolete... Checking 1 files in /usr/share/emacs/24.3/leim... Checking for load-path shadows...done Auto-saving... Load-path shadows: /usr/share/emacs/24.3/site-lisp/debian-startup hides /usr/share/emacs/site-lisp/debian-startup Features: (browse-url help-mode shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date tooltip ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs) From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 03 14:32:14 2015 Received: (at 19991) by debbugs.gnu.org; 3 Mar 2015 19:32:14 +0000 Received: from localhost ([127.0.0.1]:34235 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YSsY9-00082q-Ul for submit@debbugs.gnu.org; Tue, 03 Mar 2015 14:32:14 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58190) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YSsY7-00082h-A8 for 19991@debbugs.gnu.org; Tue, 03 Mar 2015 14:32:12 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 8D0B9209DB for <19991@debbugs.gnu.org>; Tue, 3 Mar 2015 14:32:09 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Tue, 03 Mar 2015 14:32:10 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:from:to:cc:subject:references :date:in-reply-to:message-id:mime-version:content-type; s= smtpout; bh=NgvMUnt4J0PiU3NPyUu5qs/Uqd0=; b=L4RXKaPwl47+9AWjS5X5 zL3TfrxFZEPAtJfF2TDGsQCPJTjtIvfNLKlZ3dVYQp1tATy9I9pJRvwb4Z0p7hSN 308FfSkR4WlIHqwHGAmKUnhxxris9vQox+8i/n+UZ2aShze2RZ1TSHru8VJj1tAw yx/zbyofj6WYpaezYT2LssQ= X-Sasl-enc: VkA7JknHSbZrnvRM580HCgz3dPQ9+xV2Uricnrdl6NrU 1425411130 Received: from thinkpad-t440p (unknown [2.161.30.243]) by mail.messagingengine.com (Postfix) with ESMTPA id B1B5BC0029D; Tue, 3 Mar 2015 14:32:09 -0500 (EST) From: Tassilo Horn To: Ed Green Subject: Re: bug#19991: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened References: <54F5ED1F.5030701@psu.edu> Date: Tue, 03 Mar 2015 20:32:04 +0100 In-Reply-To: <54F5ED1F.5030701@psu.edu> (Ed Green's message of "Tue, 03 Mar 2015 12:19:27 -0500") Message-ID: <87bnk9513f.fsf@gnu.org> User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 19991 Cc: 19991@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Ed Green writes: Hi Ed, > I opened emacs24 in xubuntu 14.04 with command "emacs&". In dired, I > opened a gpg-encrypted file. I was prompted to supply my passphrase, > after which the unencrypted text was displayed. I did not click the > box labelled "Automatically unlock this key, whenever I'm logged in". > > Next, I closed emacs by clicking the 'x' in the corner of the window. I > opened emacs in a new process with "emacs&". Again in dired, I opened a > different gpg-encrypted file. The unencrypted text was immediately > displayed, without my being prompted for a passphrase. I guess that's not related to Emacs but instead the GPG Agent cached the passphrase, and the second file you opened was encrypted with the same public key as the former file. By default, the GPG Agent caches passphrases for two hours: ,----[ (info "(gnupg)Agent Options") ] | '--max-cache-ttl N' | Set the maximum time a cache entry is valid to N seconds. After | this time a cache entry will be expired even if it has been | accessed recently or has been set using 'gpg-preset-passphrase'. | The default is 2 hours (7200 seconds). `---- Bye, Tassilo From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 04 11:52:53 2015 Received: (at control) by debbugs.gnu.org; 4 Mar 2015 16:52:54 +0000 Received: from localhost ([127.0.0.1]:35181 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YTCXV-0007kX-AX for submit@debbugs.gnu.org; Wed, 04 Mar 2015 11:52:53 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:34517 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YTCXT-0007kP-No for control@debbugs.gnu.org; Wed, 04 Mar 2015 11:52:52 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1YTCXT-0003K8-A8 for control@debbugs.gnu.org; Wed, 04 Mar 2015 11:52:51 -0500 Date: Wed, 04 Mar 2015 11:52:51 -0500 Message-Id: Subject: control message for bug 19991 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) tag 19991 notabug From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 24 15:05:43 2015 Received: (at control) by debbugs.gnu.org; 24 Apr 2015 19:05:43 +0000 Received: from localhost ([127.0.0.1]:38961 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yliv0-0002Gn-RZ for submit@debbugs.gnu.org; Fri, 24 Apr 2015 15:05:43 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:52922 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yliuz-0002Ge-Kn for control@debbugs.gnu.org; Fri, 24 Apr 2015 15:05:41 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1Yliuz-0006tT-9R for control@debbugs.gnu.org; Fri, 24 Apr 2015 15:05:41 -0400 Date: Fri, 24 Apr 2015 15:05:41 -0400 Message-Id: Subject: control message for bug 19991 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) close 19991 From unknown Thu Aug 14 17:27:45 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 23 May 2015 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator