On Tue, Aug 2, 2016, at 22:01, Nick Holland wrote: > On 08/02/16 01:48, Remi Locherer wrote: > > On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera > > wrote: > >> Hi, > >> > >> I've always used password-protected ssh keys, with ssh-agent, > >> and in > >> recent year, I've been using full disk encryption as well. > >> I'm wondering if there's some redundancy here, and if using FDE > >> nullifies the need for password-protecting the keys, or if > >> there's some > >> attack vector I'm no considering. > >> > >> Keep in mind that I using ssh-agent, and unlock the keys > >> usually as a > >> first action after startup (I guess *not* using ssh-agent > >> completely > >> changes the scenario). > > > > I still makes sense to encrypt your ssh keys. Think of a bug in a > > browser > > that allows a server reading your files. > > right. > > Disk Encryption protects your key and other data when your computer is > OFF. And only when it is off. When your computer is active and the > file systems available, any attacker that manages to get into your > system through any means can see whatever they have access to. If > they > grab your no-passphrase key, they now have your key. If they > grab your > passphrased key...they got a jumble of funny characters. > > Nick. >
Doesn't the fact that ssh-agent is running somehow make the keys accessible anyway? Or am I making misassumptions on how it works? -- Hugo Osvaldo Barrera