Making kwallet more secure

Thiago Macieira thiago at
Sat Aug 23 19:18:54 BST 2008

Michael Pyne wrote:
>You would have to ensure that the kwallet daemon runs as a different
> user as a minimum I would think.  I wonder how ssh-agent and gpg-agent
> handle it though, maybe I'm thinking this through wrong and there's a
> syscall that can lock memory even away from different pids owned by the
> same user.

GPG is setuid root. And it locks a region of memory so that it doesn't get 
swapped out. (otherwise passwords could be recovered by scanning the 

This of course requires that the system be trusted. If any root-level or 
kernel-level malware is running, no security will help you. 

Physical security is also important: you can yank memory modules from a 
running computer and plug it to another to read the contents before they 
are lost.

  Thiago Macieira  -  thiago (AT) - thiago (AT)
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the kde-core-devel mailing list