On 12/6/10 2:21 PM, Marcio B. Jr. wrote: > Hello, > sorry for this insistence. I just want to get it clearly. > > So, you mean those devices certainly protect information better than a > regular computer (even if making proper use of disk encryption > software)? >
Yes. Ultimately a malicious user with 'root' access can compromise any software solution. Maybe that means downloading your keys and mounting an offline attack. Maybe that means downloading your keys and installing a keylogger to get your passphrase. Or finding your unencrypted key that's been cached by gpg-agent in system memory. Full Disk Encryption doesn't provide protection there when your system is up and running, it only helps when someone steals your laptop, or tries to access the system while it's powered down. By moving the keys to a dedicated hardware device, it creates a partition between your (possibly compromised) computer's OS and and the device. The key information never gets loaded into the OS and is opaque to the system. So now a malicious user would need to 'root' your card, or card reader, which would probably involve something like trying to access or change the physical chips on the device, and is much much harder than installing a root-kit, or creating a virus, or developing some other malicious software. That's also why people are talking about readers with pin-pads. That prevents someone from installing a general-purpose keyboard sniffer to get your pin, stealing your physical token, and having the two pieces of info they need to use your keys. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war."
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users