From bd5d80b4f6221a612f836b20c948163242969203 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 2 Apr 2021 17:56:39 +0100 Subject: [PATCH] Pageant: document deferred decryption. --- doc/pageant.but | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/doc/pageant.but b/doc/pageant.but index fa535fa7..5ef1e5a0 100644 --- a/doc/pageant.but +++ b/doc/pageant.but @@ -231,6 +231,42 @@ you can send it all the way back to Pageant using the local and then it's available to every machine that has agent forwarding available (not just the ones downstream of the place you added it). +\H{pageant-mainwin-addkey} Loading keys without decrypting them + +You can also add keys to Pageant \e{without} decrypting them. The key +file will be held in Pageant's memory still encrypted, and when a +client program first tries to use the key, Pageant will display a +dialog box prompting for the passphrase so that the key can be +decrypted. + +This works the same way whether the key is used by an instance of +PuTTY running locally, or a remote client connecting to Pageant +through agent forwarding. + +After the key has been decrypted for the first use, it remains +decrypted, so that it can be used again. + +To add a key to Pageant by reading it out of a local disk file, press +the \q{Add Key (encrypted)} button in the Pageant main window, or +alternatively right-click on the Pageant icon in the system tray and +select \q{Add Key (encrypted)} from there. Pageant will bring up a +file dialog, in just the same way as it would for the plain \q{Add +Key} button. But it won't ask for a passphrase. Instead, the key will +be listed in the main window with \q{(encrypted)} after it. + +To start Pageant up in the first place with encrypted keys loaded into +it, you can use the \cq{--encrypted} option on the command line. For +example: + +\c C:\PuTTY\pageant.exe --encrypted d:\main.ppk + +\s{CAUTION}: When Pageant displays a prompt to decrypt an +already-loaded key, it cannot give keyboard focus to the prompt dialog +box. As far as I know this is a deliberate defensive measure by +Windows, against malicious software. So make sure you click in the +prompt window before typing your passphrase, or else the passphrase +might be sent to somewhere you didn't want to trust with it! + \H{pageant-security} Security considerations \I{security risk}Using Pageant for public-key authentication gives you the