On Mon, 2015-09-28 at 17:57 +0200, Olaf Hering wrote: > Am 28.09.2015 um 17:00 schrieb Dan Williams: > > On Mon, 2015-09-28 at 09:32 +0200, Olaf Hering wrote: > >> Why is the VPN password stored in plain text in > >> /etc/NetworkManager/system-connections? Is there a way to let the GUI > >> ask for it every time? > > > > Note that the file is read-only by root. If somebody has root on your > > machine, they can do a lot more than read your password. > > If the disk gets stolen the password is accessible. Thanks for your > other suggestions, will work through them.
Yes, that is correct. Although best practices suggest full-disk encryption on anything that can walk away, plus two-factor "something you know and something you have" for VPNs. But yes, setting the flags in the file and removing the password should ensure that the password is not stored on-disk. You can also set the flags to '1' (agent-owned) and the common agents like GNOME and KDE will store the password in their respective keyrings/wallets that is protected by another password. Dan _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list