Musings about on-disk encryption in Fedora Core
mike at flyn.org
mike at flyn.org
Tue Jul 6 14:54:02 UTC 2004
>> If my system password is not unknown to others then my encryption
>> password is probably no good either. I think root has to be trusted in
>> most cases. I would be interested to hear any arguments that "only
>> mount[ing] the encrypted, potentially sensitive stuff when you need it"
>> would be more secure than unmounting encrypted volumes a login time
>> (assuming a strong system authentication token).
> If I have a different password, there is no representation of it on disk
> (like crypt() or MD5 hashes of a login password). There's a reason my
> PGP pass phrase is different from my login password as well ;-). If one
> is compromised, the other isn't.
As I mentioned, I am assuming a strong system authentication token. As you
mention, storing MD5 hashes on disk is not a strong system authentication
token. But I'm sure one could produce a technique for storing passwords on
disk that would be as difficult to decipher as performing a known plain text
attack on your on-disk encrypted data.
I would also argue that if I have access to your account than I eventually
have access to your PGP keys. I can install something in .bash_profile and I
can read your process memory, right?
I suppose that one could argue that all these passphrases and passwords are a
defense in depth technique, but here is a fundamental problem: your system
authentication token says to the system "this is me" and if that is not the
case then all else is eventually doomed.
--
Mike
More information about the fedora-devel-list
mailing list