Re: paranoic gpg settings and /tmp
On Wed, Dec 08, 2010 at 06:50:26PM -0800, Brandon Sandrowicz wrote: On Wed, Dec 08, 2010 at 11:35:07PM +0100, Francesco de Virgilio wrote: - Ubuntu 10.10 - /home encrypted with ecryptfs - /tmp is a directory clearly readable by anyone having access to my hard disk Question: when I decrypt a message sent to me using GPG, is it immediately printed on the standard output (my shell) or is a _decrypted_ copy created in /tmp and deleted after closing the message? You could try setting $TMP or $TMPDIR (which mutt may or may not respect) to a directory like $HOME/tmp, which is already encrypted. There's also. for .muttrc: set tmpdir=~/tmp# where to store temp files At least I have that, it works, and mutt doesn't bitch at start time about unknown config. In general I think it's a good idea to set TMP and TMPDIR to ~/tmp anyway. If you have a GOOD reason to want to have such on actual /tmp (faster local disk instead of NFS disk?) then I'd recommend some shell startup scripting to attempt to make /tmp/user/, and set TMPDIR to that, bitching if it can't ensure it exists, is owned by you, and chmod 700. -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence. Paula Cole - ME signature.asc Description: Digital signature
Re: paranoic gpg settings and /tmp
On Thu, Dec 09, 2010 at 10:14:55AM +, Athanasius wrote:
In general I think it's a good idea to set TMP and TMPDIR to ~/tmp
anyway. If you have a GOOD reason to want to have such on actual /tmp
(faster local disk instead of NFS disk?) then I'd recommend some shell
startup scripting to attempt to make /tmp/user/, and set TMPDIR to
that, bitching if it can't ensure it exists, is owned by you, and chmod
700.
Aha, here's my example, I Was looking in the wrong host's ~/.bashrc.
Yes it's generating ${HOME}/tmp in this example, and is a bit overkill
for that, but I copied it from similar for /tmp/${USER}. Adjust to
taste.
## Try to guarantee a 'good' /tmp directory for me
MYTMP=${HOME}/tmp
if [ ! -d ${MYTMP} ];
then
if [ -e ${MYTMP} ];
then
rm -f ${MYTMP} 2 /dev/null
fi
mkdir ${MYTMP} 2 /dev/null
fi
if [ ! -O ${MYTMP} ];
then
echo Warning, someone else owns ${MYTMP} !
if [ ! -d ${MYTMP} ];
then
echo And it isn't a directory either.
fi
mail -s /tmp problem athan END
Problem with ${MYTMP}
END
export TMPDIR=/tmp
else
chmod 700 ${MYTMP}
export TMPDIR=${MYTMP}
export LYNX_TEMP_SPACE=${MYTMP}
fi
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence. Paula Cole - ME
signature.asc
Description: Digital signature
paranoic gpg settings and /tmp
Hi guys, this time I've a question devoted to paranoic privacy settings with mutt. My machine configuration: - Ubuntu 10.10 - /home encrypted with ecryptfs - /tmp is a directory clearly readable by anyone having access to my hard disk Question: when I decrypt a message sent to me using GPG, is it immediately printed on the standard output (my shell) or is a _decrypted_ copy created in /tmp and deleted after closing the message? If the latter hypothesis is correct, and considering that /tmp is not encrypted, anyone physically removing my HD could in theory bring back a copy of deleted messages using a recovery software from my filesystem. If so, I've to A) encrypt my /tmp dir B) set mutt to wipe temporary copies of decrypted messages Cheers, -- Francesco de Virgilio *Ubuntu-it team member* mailto:frad...@ubuntu-it.org http://wiki.ubuntu-it.org/FrancescoDeVirgilio *Wikimedia projects contributor* http://en.wikipedia.org/wiki/User:Fradeve11 *OpenStreetMap Mapper* http://www.openstreetmap.org/user/Fradeve11 *Blog* http://www.fradeve.org Love - Peace - Freedom - Free Software signature.asc Description: Digital signature
Re: paranoic gpg settings and /tmp
On Wed, Dec 08, 2010 at 11:35:07PM +0100, Francesco de Virgilio wrote: Hi guys, this time I've a question devoted to paranoic privacy settings with mutt. My machine configuration: - Ubuntu 10.10 - /home encrypted with ecryptfs - /tmp is a directory clearly readable by anyone having access to my hard disk Question: when I decrypt a message sent to me using GPG, is it immediately printed on the standard output (my shell) or is a _decrypted_ copy created in /tmp and deleted after closing the message? If the latter hypothesis is correct, and considering that /tmp is not encrypted, anyone physically removing my HD could in theory bring back a copy of deleted messages using a recovery software from my filesystem. If so, I've to A) encrypt my /tmp dir B) set mutt to wipe temporary copies of decrypted messages Cheers, -- Francesco de Virgilio *Ubuntu-it team member* mailto:frad...@ubuntu-it.org http://wiki.ubuntu-it.org/FrancescoDeVirgilio *Wikimedia projects contributor* http://en.wikipedia.org/wiki/User:Fradeve11 *OpenStreetMap Mapper* http://www.openstreetmap.org/user/Fradeve11 *Blog* http://www.fradeve.org Love - Peace - Freedom - Free Software You could try setting $TMP or $TMPDIR (which mutt may or may not respect) to a directory like $HOME/tmp, which is already encrypted. Of note, if you encrypt your /tmp directory, you might as well do the same to your swap file/partition. -- Brandon
