Re: GPG memory is not secure.

[NOKUBI Takatsugu <knok@daionet.gr.jp>]

At Tue, 19 Aug 2014 23:41:22 +0200,
Werner Koch wrote:
> On older Linux kernels you had to install gpg suid(root) to allow
> mlock() to work (gpg will drop the permissions right after allocating
> and locking the memory).  Recent Linux kernels grant each process a
> certain amount of mlock()-able memory without root permissions.  I am
> not sure about the current status on BSD kernels and frankly I tend to
> ignore the warning or use no-secmem-warning in my gpg.conf.  Encrypted
> swap is anyway a better protection.

According to FreeBSD manpages, FreeBSD 10 can use mlock/munlock by
unpriviredged users by default (security.bsd.unprivileged_mlock=1).

But current stable kFreeBSD kernel is version 9 and they not have such
function.

-- 
% sudo sysctl security.bsd.unprivileged_mlock
security.bsd.unprivileged_mlock: 1
% gpg -v
gpg: Go ahead and type your message ...
^C
gpg: signal Interrupt caught ... exiting

% sudo sysctl security.bsd.unprivileged_mlock=0
security.bsd.unprivileged_mlock: 1 -> 0
% gpg -v
Warning: using insecure memory!
gpg: Go ahead and type your message ...
^C
gpg: signal Interrupt caught ... exiting