I think there's a higher-level point that hasn't been made explicit, although I'm sure it's what Daiki is thinking: Anything that can cause the passphrase to be written to the filesystem is horribly broken; the whole point of the passphrase is that while the secret key (encrypted in the passphrase) is on disk, without the passphrase one can't get the key even if one has the disk. As soon as the passphrase ends up on disk, through a temp file, core file, swap space, the plan is compromised. Programs like gnupg take care to mlock(2) or similar to keep key data from being paged out. (One also needs to disable kernel crash dumps.) The right solution might instead be to push for gpg-agent to be production ready, so that entire notion of emacs dealing with passphrases can be deprecated. -- Greg Troxel