1 |
Neil Bothwick schrieb: |
2 |
> On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote: |
3 |
> |
4 |
>>> That still means your keys are readable all the time, |
5 |
>> By root only, chmod 400 is your friend. |
6 |
> |
7 |
> But still readable. |
8 |
>>> whereas mine |
9 |
>>> disappear long before the network comes up. |
10 |
>> So what? If somebody cracks into your box and gains root access, he |
11 |
>> can't mount /boot and take the keys? |
12 |
> |
13 |
> That's right, because the keys aren't in /boot ;-) |
14 |
|
15 |
But they are somewhere. He who has cracked your box can simply look into |
16 |
/etc/conf.d/dmcrypt to find out where your keyfile is stored and mount |
17 |
that fs if needed. There's no difference in storing them on the root fs |
18 |
directly, it will take the cracker just a few seconds longer to get it. |
19 |
|
20 |
But hey, this answers my question about the sense of using gpg encrypted |
21 |
keyfiles. :-) |
22 |
|
23 |
Other possible solution is to put the keyfile(s) on an USB stick and |
24 |
unplug this right after booting. I doubt I would always remember to do |
25 |
so :-) |
26 |
|
27 |
Bye... |
28 |
|
29 |
Dirk |