> I use full disk encryption (cryptsetup / LUKS), so the password file
> is secure at rest, and when I'm actually using the system, if
> gpg-agent is used, then anyone with access to the machine can access
> the password file anyway.
That assumes a single-user situation. But in case someone manages to
run code on your machine as some user other than yourself and root, then
they will have access to most of your files, but not to your gpg-agent
(and hence not to your gpg-encrypted files).
Also, gpg-agent voluntarily forgets the passwords after some timeout, so
even if someone gets access to your machine as your user or as root,
they may still be unable to decrypt your gpg files if enough time has
passed and gpg-agent has forgotten your password.
Stefan
