❓ More details about random_seed

[skywinder]

Hi.
According to manual:

Note all the contents of the .gitsecret/ folder should be checked in, /except/ the random_seed file.

1. I didn't found information from the docs, how random_seed is using? If everything encrypted via pgp key, so why it's valuable information, that we have to hide?
2. What happens, if we compromise this seed?

---

related to #144

[joshrabinowitz]

@skywinder , I looked into this some.

1. random_seed is mentioned here: gnupg configuration

See also mentions of random_seed at this gnupg tutorial

The random_seed file is intended to be unique for each user (which is why it should not be checked into git), and stores entropy data for use in the next encryption, after which is it altered.

2. If this seed is compromised, then the security of gnupg's encryption is weakened because (as I understand) by default this random_seed is used to create a salt , and if you can control the contents of random_seed, you can affect the salt. As explained in the gnupg manpage in the --no-random-seed-file explanation:

   GnuPG uses a file to store it's internal random pool over invocations.
   This makes random generation faster; however sometimes write operations
   are not desired. This option can be used to achieve that with the cost of
   slower random generation.

Let me know if you have any more questions, and if you think the docs need updating, we'd be happy to accept a PR that improves the documentation.

[skywinder]

great explanation. thank you, @joshrabinowitz ! 👍