Mailing List Archive: insecure memory warning

insecure memory warning

Jan 14, 2000, 10:30 AM

Post #1 of 4 (869 views)

i'm a new user of gpg, and i've installed it to encrypt data files,
not for delivery, but for secure storage.

i'm running red hat linux 5.1 and have installed gpg from the source
(not from any rpm).

since i'm encrypting for secure storage (and not for mail), i've
chosen to use the --symmetric option with gpg. when i run it on
a file, i receive this message:

gpg: Warning: using insecure memory!

what does this mean? how bad is this?

also, is --symmetric the correct option to use? and how strong is
the encryption when there is no passing of keys?

thank you.

Re: insecure memory warning [ In reply to ]

tnelson at techie

Jan 14, 2000, 11:02 AM

Post #2 of 4 (864 views)

Permalink

There are two ways to disable this message:

If you have root access to the gpg executable then you can change gpg to be
suid:

chmod 4755 gpg

there is also an option --no-secmem-warning that is documented in the manual

Basically, what this warning is telling you is that gpg is unable to lock
memory for the exclusive use of gpg (ie, no other programs/processes/etc)
can inspect the state of the program and it's internal data. if the box that
you are using is private (like your own linux box) then this warning has less
meaning than if you are running gpg on your ISP's box w/ 300 different users.

From a security standpoint, any possible way that your data can be potentially
exploited should be reported, and gpg is doing a good job of telling you
about it.

Hope this helps.

Tony

On Fri, Jan 14, 2000 at 12:30:04PM -0500, hardpack wrote:
>
> i'm a new user of gpg, and i've installed it to encrypt data files,
> not for delivery, but for secure storage.
>
> i'm running red hat linux 5.1 and have installed gpg from the source
> (not from any rpm).
>
> since i'm encrypting for secure storage (and not for mail), i've
> chosen to use the --symmetric option with gpg. when i run it on
> a file, i receive this message:
>
> gpg: Warning: using insecure memory!
>
> what does this mean? how bad is this?
>
> also, is --symmetric the correct option to use? and how strong is
> the encryption when there is no passing of keys?
>
> thank you.
>

--
Tony Nelson Standard Disclaimers Apply

Re: insecure memory warning [ In reply to ]

wk at gnupg

Jan 14, 2000, 11:29 AM

Post #3 of 4 (866 views)

Permalink

On Fri, 14 Jan 2000, hardpack wrote:

> gpg: Warning: using insecure memory!
>
> what does this mean? how bad is this?

See the man page under BUGS and option --no-secmem-warning

> also, is --symmetric the correct option to use? and how strong is
> the encryption when there is no passing of keys?

You give a key when you use --symmetric (-c). The key is derived from
the passphrase you have to enter. The security depends on a quality
of the passphrase.

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

Re: insecure memory warning [ In reply to ]

pneuhaus at openit

Jul 30, 2000, 9:18 AM

Post #4 of 4 (863 views)

Permalink

Hi,

On Sun, Jul 30, 2000 at 10:51:31AM -0400, Peter Dominguez wrote:

> Can someone tell me how to fix the insecure memory warning?

set the 'Set-User-ID Bit' to prevent GnuPG from using insecure
memory:

root# chmod u+s /usr/local/bin/gpg

or insert the Option 'no-secmem-warning' in ~/.gnupg/options to
tell GnuPG to ignore the warnings.

Peter

--
Peter Neuhaus OpenPGP key CCC53782
OpenIT GmbH tel +49 211 239577-0
Birkenstr. 12 email pneuhaus@openit.de
D-40233 Duesseldorf http://www.OpenIT.de