From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JgMgl-00036I-QZ for garchives@archives.gentoo.org; Mon, 31 Mar 2008 16:16:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2FE75E04B2; Mon, 31 Mar 2008 16:16:47 +0000 (UTC) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by pigeon.gentoo.org (Postfix) with ESMTP id E8225E04B2 for ; Mon, 31 Mar 2008 16:16:46 +0000 (UTC) Received: from rohan.altum.de (p54BB982B.dip0.t-ipconnect.de [84.187.152.43]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JgMgg1NPX-0003LQ; Mon, 31 Mar 2008 18:16:46 +0200 To: gentoo-user@lists.gentoo.org Date: Mon, 31 Mar 2008 18:15:54 +0200 Subject: Re: [gentoo-user] Cryptfs Message-ID: <47F10E3A.1080401@online.de> From: "Dirk Heinrichs" Organization: Mail Received: from [192.168.2.24] (gondolin.altum.de [192.168.2.24]) by rohan.altum.de; Mon, 31 Mar 2008 18:15:59 +0200 User-Agent: Thunderbird 2.0.0.12 (X11/20080320) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 References: <1206811941.13252.13.camel@NOTE_GENTOO64.PHHEIMNETZ> <200803301851.04547.dirk.heinrichs@online.de> <20080330211304.1e9506aa@loonquawl.digimed.co.uk> <200803310836.58101.dirk.heinrichs.ext@nsn.com> <20080331091129.5915c0f2@loonquawl.digimed.co.uk> In-Reply-To: <20080331091129.5915c0f2@loonquawl.digimed.co.uk> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC0B33FAC774624370414A42D" X-Provags-ID: V01U2FsdGVkX19CFUXh19k62yvXIGhtXZD/+b7hg4k0zjdGn4V HdDS4zwbcNIvwRelKeaLd6U7exAF8SyoVU8I9hcigEiydtBlmO lQhI4XUdqjuZghFwxwSKQ== X-Archives-Salt: 1ac7e994-6966-4977-88a7-0ac39d5a968c X-Archives-Hash: cc0ed4fbc38df674b51f834f5408d874 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC0B33FAC774624370414A42D Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Neil Bothwick schrieb: > On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote: >=20 >>> That still means your keys are readable all the time, =20 >> By root only, chmod 400 is your friend. >=20 > But still readable. >>> whereas mine=20 >>> disappear long before the network comes up. =20 >> So what? If somebody cracks into your box and gains root access, he >> can't mount /boot and take the keys? >=20 > That's right, because the keys aren't in /boot ;-) But they are somewhere. He who has cracked your box can simply look into /etc/conf.d/dmcrypt to find out where your keyfile is stored and mount that fs if needed. There's no difference in storing them on the root fs directly, it will take the cracker just a few seconds longer to get it. But hey, this answers my question about the sense of using gpg encrypted keyfiles. :-) Other possible solution is to put the keyfile(s) on an USB stick and unplug this right after booting. I doubt I would always remember to do so :-) Bye... Dirk --------------enigC0B33FAC774624370414A42D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH8Q4/8NVtnsLkZ7sRAq97AJ9vzTWg3ijtqWxMjLQNcCAP/jJ3oQCcDRDD +EJaEMGPVpozdUEBZDZbGOk= =V3MI -----END PGP SIGNATURE----- --------------enigC0B33FAC774624370414A42D-- -- gentoo-user@lists.gentoo.org mailing list