On 08/02/16 01:48, Remi Locherer wrote: > On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera wrote: >> Hi, >> >> I've always used password-protected ssh keys, with ssh-agent, and in >> recent year, I've been using full disk encryption as well. >> I'm wondering if there's some redundancy here, and if using FDE >> nullifies the need for password-protecting the keys, or if there's some >> attack vector I'm no considering. >> >> Keep in mind that I using ssh-agent, and unlock the keys usually as a >> first action after startup (I guess *not* using ssh-agent completely >> changes the scenario). > > I still makes sense to encrypt your ssh keys. Think of a bug in a browser > that allows a server reading your files.
right. Disk Encryption protects your key and other data when your computer is OFF. And only when it is off. When your computer is active and the file systems available, any attacker that manages to get into your system through any means can see whatever they have access to. If they grab your no-passphrase key, they now have your key. If they grab your passphrased key...they got a jumble of funny characters. Nick.
