Re: encryption has nothing to do with password?




On Tue, 18 Nov 2014, Jim Campbell wrote:

There is information about how to create new keyrings (as well as how to
lock them) included in the Passwords and Keys (aka Seahorse) help.
These topics are included as part of the Passwords and Keys application,
but you can also see them here:

* Create a new keyring:
https://help.gnome.org/users/seahorse/stable/keyring-create.html.en
* Lock your keyring with a password:
https://help.gnome.org/users/seahorse/stable/keyring-lock.html.en

Since login keyring is locked by default untill I unlock it with login password, yet it is not encrypted (demonstrated on my friend's PC), therefore, locking does not encrypt the password files. Your suggestion that I should encrypte /home also hint so.

Since locking does not enrypte the passwords, therefore, creating a new keyring will not encrypte the passwords in it neither, but merely provide a locking that is different than system login. If my harddisk is stolen, the cracker only need to break the lock, not to decrypte the data - think about 'chmod +rw passfile' compare to passfile.gpg - perhaps they only need to swap login keyring with the new keyring in order to read from it. Creating a new keyring also brings up the question how to make chromium use that keyring (most my passwords are chromium passwords).

Now comes the tricky part: my security risk is not getting harddisk stolen - since I live in remote area someone has to drive a few hours to attempt that. The risk comes from backdoors, fishing websites, mal-ware comes from the Internet - chances are these apps run in my identity thus can access encrypted harddisk partition, defeating the purpose of encryption.

Is it true that seahorse can't protect me from malware that 1) have read access to the password file but 2) not API access to locked keyrings? Because if it is true, encrypting partition won't help me and I may fall back to old password manager 'revelation' which I forgo a year ago for seahorse. Truly I am looking at fault-tolerace security (assuming user identity can be compromised like all downloaded .exe do on Windows and protect most sensitive data in that scenario) which may not be the design goal of seahorse (but is for 'revelation').

Thanks a lot for your reply, very informative!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]