Neil Bothwick schrieb: > On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote: > >>> That still means your keys are readable all the time, >> By root only, chmod 400 is your friend. > > But still readable. >>> whereas mine >>> disappear long before the network comes up. >> So what? If somebody cracks into your box and gains root access, he >> can't mount /boot and take the keys? > > That's right, because the keys aren't in /boot ;-)
But they are somewhere. He who has cracked your box can simply look into
/etc/conf.d/dmcrypt to find out where your keyfile is stored and mount
that fs if needed. There's no difference in storing them on the root fs
directly, it will take the cracker just a few seconds longer to get it.
But hey, this answers my question about the sense of using gpg encrypted
keyfiles. :-)
Other possible solution is to put the keyfile(s) on an USB stick and
unplug this right after booting. I doubt I would always remember to do
so :-)
Bye...
Dirk
signature.asc
Description: OpenPGP digital signature
