Security
Threat model of GnuPG Desktop and GnuPG VS-Desktop
GnuPG Desktop and GnuPG VS-Desktop completely protect your data to the highest standards after encryption and before decryption.
GnuPG (VS-)Desktop assumes that any security functions which can technically and legally be compromised are indeed compromised. So anything that could affect or weaken our encryption is provided by GnuPG and not the operating system or hardware. For example, random number generation.
Endpoint protection, the protection of the plaintext, cannot be provided by GnuPG and is out of scope.
For security requirements above RESTRICTED / VS-NfD we therefore recommend air-gapped systems and / or not to use a standard Windows.
Microsoft Windows
Microsoft Windows, when connected to the Internet, cannot be secured against attacks in which Microsoft is required by law to assist. We recommend the documentation of the BSI SiSyPHuS Project on hardening Windows Systems.
Outlook and Exchange
Outlook is a black box which sends out data to the Internet. When using Exchange as the server this is done in the binary MAPI protocol.
GnuPG VS-Desktop provides a plugin, GpgOL, for Microsoft Outlook. This plugin passes plaintext to Outlook which can be intercepted by other plugins and Outlook itself. We do a best effort to prevent plain text from being saved to the Exchange server. But even with draft encryption enabled it is easy to accidentally write confidential information in a mail before selecting encrypt.
In case where a temporary storage of plain text on the Exchange Server is an unacceptable risk we therefore recommend to encrypt files and attach the encrypted files to unencrypted mails.
For security requirements above RESTRICED / VS-NfD we recommend KMail with GnuPG VS-Desktop on Linux.
Our development standards
Based on this threat model our software is completely based on Open Source software so that users running such a system can be ensured that no hidden backdoors are included in our development process.
- All third party code has to be verified using two different channels.
- Binaries are compiled only by using the GCC / MinGW compiler suites. For technically reasons we run a dedicated Windows machine for the final step of linking the MSI installers.
- Our signing keys are all hosted on smartcards or tokens.
- Our build systems are hosted by us; we don't use any external cloud services.
- All our source code is replicated to public accessible servers for public scrutiny.
- We use only open source operating systems and run (with one exception) Windows systems only in test environments.
Threat model of libgcrypt
Libgcrypt is the crypto library of GnuPG VS-Desktop. Libgcrypt has been developed for use in a wide variety of platforms with different security needs. Some platforms exhibit fine-grained side channels which can be used to spy on processes running in other containers or virtual machines. Although Libgcrypt implements many countermeasures against such side-channels attacks, it is not possible to avoid all of them. In the worst case it is thus possible to leak the entire private key or a password to a malicious process running in another virtual machine on the same hardware.
Those hardware related threats are out of scope in Libgcrypt's threat model. It is up to users not to offer any access to those side-channels. Please avoid running GnuPG Desktop and GnuPG VS-Desktop on a machine where other virtual machines are not in the same trusted domain.
Disclosure policy
GnuPG.com / g10 Code GmbH takes the security of our software very seriously. In general we prefer a full disclosure approach and all bugs are listed in our public bug tracker; code changes in our software repository are public.
Given that parts of GnuPG (VS-)Desktop are also an important part of many software distributions and severe bugs would affect their users directly, we co-ordinate with them in private as soon as we learn about a severe vulnerability. Sometimes we receive pre-notifications of research which may lead to a new kind of vulnerability. In these cases we may work with the researchers in private on a solution and co-ordinate our fix release with them.
GnuPG Desktop and GnuPG VS-Desktop users can expect updates as soon as a security fix is released.
Security contact
If you have found a severe security problem and you do not want to
publish it, please report it by mail to support at gnupg.com
(encryption key).
We prefer reports in plain text format; if needed we can also work with PDF files. For security reasons we cannot read any other complex data formats (e.g. docx or odt). English reports are preferred; but most of our staff is able to read and write in German.