EasyPG 0.0.2 review

by rbytes.net on

EasyPG is yet another GnuPG interface for Emacs

License: GPL (GNU General Public License)
File size: 12K
Developer: Daiki Ueno
0 stars award from rbytes.net

EasyPG is yet another GnuPG interface for Emacs. EasyPG package consists of two parts:

The EasyPG Assistant - A GUI frontend of GnuPG
The EasyPG Library - A library to interact with GnuPG

Here are some key features of "EasyPG":
The EasyPG Assistant provides the following features:
Cryptographic operations are usable from dired mode.
Keyring management interface.
Transparent encryption/decryption of *.gpg files.

The EasyPG Library provides the following features:
The API covers most functions of GnuPG.
Designed to avoid potential security pitfalls around Emacs.

Passphrase may leak to a temporary file

The function call-process-region writes data in region to a temporary file. If your PGP library used this function, your passphrases would leak to the filesystem.

The EasyPG Library does not use call-process-region to communicate with a gpg subprocess.

Passphrase may be stolen from a core file

If Emacs crashes and dumps core, Lisp strings in memory are also dumped within the core file. read-passwd function clears passphrase strings by (fillarray string 0) to avoid this risk. However, Emacs performs compaction in gc_sweep phase. If GC happens before fillarray, passphrase strings may be moved elsewhere in memory. Therefore, passphrase caching in elisp is generally a bad idea.

The EasyPG Library dares to disable passphrase caching. Fortunately, there is more secure way to cache passphrases - use gpg-agent.

GNU Emacs 21.4 or XEmacs 21.4
GnuPG 1.4.3

EasyPG 0.0.2 keywords