| 1 |
Neil Bothwick schrieb: |
| 2 |
> On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote: |
| 3 |
> |
| 4 |
>>> That still means your keys are readable all the time, |
| 5 |
>> By root only, chmod 400 is your friend. |
| 6 |
> |
| 7 |
> But still readable. |
| 8 |
>>> whereas mine |
| 9 |
>>> disappear long before the network comes up. |
| 10 |
>> So what? If somebody cracks into your box and gains root access, he |
| 11 |
>> can't mount /boot and take the keys? |
| 12 |
> |
| 13 |
> That's right, because the keys aren't in /boot ;-) |
| 14 |
|
| 15 |
But they are somewhere. He who has cracked your box can simply look into |
| 16 |
/etc/conf.d/dmcrypt to find out where your keyfile is stored and mount |
| 17 |
that fs if needed. There's no difference in storing them on the root fs |
| 18 |
directly, it will take the cracker just a few seconds longer to get it. |
| 19 |
|
| 20 |
But hey, this answers my question about the sense of using gpg encrypted |
| 21 |
keyfiles. :-) |
| 22 |
|
| 23 |
Other possible solution is to put the keyfile(s) on an USB stick and |
| 24 |
unplug this right after booting. I doubt I would always remember to do |
| 25 |
so :-) |
| 26 |
|
| 27 |
Bye... |
| 28 |
|
| 29 |
Dirk |
Archives