On Mon, May 19, 2008 11:16, Max Vozeler wrote: > On Tue, May 13, 2008 at 08:02:28PM +0200, David Härdeman wrote: >> I'm also planning to use some of the infrastructure of the patch to add >> support for two-factor keys (ask a passphrase, hash it, get a keyfile >> from usb stick, xor the two together, use that as the key) and >> smartcards (I've already ordered the hardware, dunno when I'll get it). ... > If we plan to add second factors do you reckon we should > still support non-wrapped plain keys? > > I worry a bit that the security implications of plain keys > will be difficult to convey to users inside the partman UI, > and so they might get a wrong sense of security. ... > Will the user instinctly grasp the implications correctly? > > If not, perhaps we should > > a) not offer plain keys at all? > > b) offer plain keys only to be stored on encrypted devices? > > c) name it "Plain key on removable device > (DONOTUSEUNLESSYOUKNOWWHATYOUAREDOING!)" or something? ;-)
Alternative b) is the same as keydev with password if we're talking about encrypted root (so it's actually the same as alternative a)). I actually see this as more of a documentation issue. I don't see that much of a problem with unencrypted keys on external storage. Personally I have one laptop where I use a key on a usb stick together with a password to boot (support for that is not in a state where I want to commit it to cryptsetup just yet) and one where I use a plain keyfile on a usb stick. In order to judge the merits of both approaches, the different threat scenarios must be understood. Encrypted keyfile on a usb stick: The key can be retrieved from kernel memory by an attacker who has managed to get root access to your computer while it is running (dmsetup table --showkeys). An attacker who has root access or $your-user-id access to your computer while running can get at your personal data in /home, which on 98% of all laptops (for details on how I came up with that statistic, see http://www.dilbert.com/fast/2008-05-08/) is what is really valuable to you. If you lose your usb stick, the encryption should keep the key safe against brute-force attacks, but I would still recommend any user that lost his key to do a new installation using a new key just to be sure...the encryption buys the user time to do so. Non-encrypted keyfile on a usb stick: This opens up (as far as I've been able to come up with) two additional attack scenarios: First, if the usb key is left attached to the computer after boot (probably not that uncommon), an attacker who manages to gain access to $your-user-id can also get the key to the harddisk (since you probably have privileges to mount the usb key). This can be mitigated by either removing the key, not allowing regular users to mount the key or using an fs which allows for proper permissions and setting the keyfile to be root readable only. In any case, if an attacker has access to $your-user-id, they have access to your /home and (using the above statistics), most users would be fubar:ed already. Second, if you lose the key and the laptop together, an attacker has the opportunity to boot the computer. I consider this to be the major disadvantage. This can be solved by separating computer and usb key e.g. while traveling (usb key goes in pocket of your pants, computer is in a laptop bag). Someone who holds you up at gun point to get both key and computer would have to know there was a key and could probably use the threat of violence to get key, computer and passphrase from you if they do know and you use the key and keydev approach. An added benefit of unencrypted keys is that it allows for encrypted partitions on e.g. servers and other headless devices. Insert key, boot server, remove key. So I think unencrypted keys is mostly a case of user education and not something we should disable. partman-auto-crypto is for the user who does not want to understand the details :) -- David Härdeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
