On 9/14/20 1:53 PM, Martin Wilck wrote:
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
Holy 5hi4! That is indeed a showstopper. I wonder how many folks that will catch by surprise? But thank you Martin for bringing that forward. Why is Tbird bringing your GPG keys in and then storing them in a directory outside of .gnupg and duplicating what GPG does instead of using an gpg agent or some sort know way to just access your GPG keys for use. This seems like 2-steps backwards is security. Steal laptop -- look in thunderbird profile, if no Master Password, scrape keys to the kingdom... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org