Re: [gpm] gnome-keyring Lock keyring on suspend

From: Yaron Sheffer <yaronf gmx com>
To: stef memberwebs com, Richard Hughes <richard hughsie com>
Cc: Stef Walter <stef-list memberwebs com>, gnome-keyring-list gnome org, gnome-power-manager-list gnome org
Subject: Re: [gpm] gnome-keyring Lock keyring on suspend
Date: Wed, 21 Jul 2010 11:41:07 +0300

Resending, as my earlier message is still sitting in the gpm moderation queue.

Quoting from Stef's reply:

It is the goal of the gnome-keyring project to be 'locked' while the
screen saver is active. And then become unlocked when the screensaver
password is typed. This 'locked' mode discards secrets and keys from
memory. There may be bits of this that are not implemented yet.

Obviously it's more complex than that, because some users don't log into
their computers with passwords. However such users very likely have
lower expectations of their computer's security.

Documenting this and choosing good defaults is a worthwhile effort.

Thanks,
	Yaron

On 07/19/2010 11:48 AM, Yaron Sheffer wrote:

Did some initial research. Richard Hughes announced this feature here: http://hughsient.livejournal.com/19481.html and https://bugzilla.gnome.org/show_bug.cgi?id=375681.

The feature is indeed off-by-default ( http://git.gnome.org/browse/gnome-power-manager/tree/data/org.gnome.power-manager.gschema.xml), and for good usability reasons. BTW, lock-on-hibernate is on by default.

Richard suggested back then that this should be in the UI. I have another proposal: make this flag on-by-default, but have the logic (now at http://git.gnome.org/browse/gnome-power-manager/tree/src/gpm-control.c) depend on this flag, as well as the combination of the power manager setting /apps/gnome-power-manager/lock/suspend and when applicable, the screen saver setting/apps/gnome-screensaver/lock_enabled.

In other words:

if (gpm-lock-keyring-on-suspend &&

    (gpm-use-screensaver-setting ? screensaver-lock-on-suspend : gpm-lock-on-suspend)) {

         lock-the-keyring();

    }

Rationale: if the user needs to enter a password on resume, you might as well clear the keyring on suspend. Otherwise, we don't want to annoy users by requiring a password during resume.

Motivation for lock-on-suspend: suspend, as opposed to hibernate, maintains power to RAM. This makes cold-boot attacks practical on stolen laptops (http://citp.princeton.edu/pub/coldboot.pdf). Moreover, an attacker can physically probe the RAM to read everything off it. And I suppose this is trivial if you have a programmable DMA device.

Thanks,

    Yaron

On 07/19/2010 06:28 AM, Stef Walter wrote:
On 2010-07-18 12:24, Yaron Sheffer wrote:
  
it took me some time to find the Gnome configuration value
/apps/gnome-power-manager/lock/gnome_keyring_suspend. It was disabled on
my machine (Ubuntu Lucid). IMHO, it should be on-by-default because it
adds quite a bit of security for laptops, which tend to be
suspended/hibernating when they get stolen.


So: can it be turned on (or is it just Ubuntu)?
    
Yes, I think it should be turned on. I'd be really interested in why
it's not on by default. If you have time to research this that would be
a big help. This may be historical. The gnome-power-manager maintainers
may know.

  
Can I help to document this flag? Maybe start a "secure configuration FAQ"?
    
Sure, you can branch it off of here:

http://live.gnome.org/GnomeKeyring

Thanks for your participation!

Cheers,

Stef
  

References:
- Re: [gpm] gnome-keyring Lock keyring on suspend
  - From: Yaron Sheffer

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]