Re: encryption has nothing to do with password?
- From: Zhang Weiwu <zhangweiwu realss com>
- To: Jim Campbell <jcampbell gnome org>
- Cc: seahorse-list gnome org
- Subject: Re: encryption has nothing to do with password?
- Date: Wed, 19 Nov 2014 08:42:07 +1000 (AEST)
On Tue, 18 Nov 2014, Jim Campbell wrote:
There is information about how to create new keyrings (as well as how to
lock them) included in the Passwords and Keys (aka Seahorse) help.
These topics are included as part of the Passwords and Keys application,
but you can also see them here:
* Create a new keyring:
https://help.gnome.org/users/seahorse/stable/keyring-create.html.en
* Lock your keyring with a password:
https://help.gnome.org/users/seahorse/stable/keyring-lock.html.en
Since login keyring is locked by default untill I unlock it with login
password, yet it is not encrypted (demonstrated on my friend's PC),
therefore, locking does not encrypt the password files. Your suggestion that
I should encrypte /home also hint so.
Since locking does not enrypte the passwords, therefore, creating a new
keyring will not encrypte the passwords in it neither, but merely provide a
locking that is different than system login. If my harddisk is stolen, the
cracker only need to break the lock, not to decrypte the data - think about
'chmod +rw passfile' compare to passfile.gpg - perhaps they only need to
swap login keyring with the new keyring in order to read from it. Creating a
new keyring also brings up the question how to make chromium use that
keyring (most my passwords are chromium passwords).
Now comes the tricky part: my security risk is not getting harddisk stolen -
since I live in remote area someone has to drive a few hours to attempt
that. The risk comes from backdoors, fishing websites, mal-ware comes from
the Internet - chances are these apps run in my identity thus can access
encrypted harddisk partition, defeating the purpose of encryption.
Is it true that seahorse can't protect me from malware that 1) have read
access to the password file but 2) not API access to locked keyrings?
Because if it is true, encrypting partition won't help me and I may fall
back to old password manager 'revelation' which I forgo a year ago for
seahorse. Truly I am looking at fault-tolerace security (assuming user
identity can be compromised like all downloaded .exe do on Windows and
protect most sensitive data in that scenario) which may not be the design
goal of seahorse (but is for 'revelation').
Thanks a lot for your reply, very informative!
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
