Sharpened Blade via devel devel@lists.fedoraproject.org wrote:
It would be stored with permissions for only root to read it, and you disk should be encrypted, or none of this matters.
It doesn't matter if your disk is encrypted. Whilst your computer is online, the contents are accessible. If your kernel memory is accessible through /dev/mem or /dev/kmem, there's a chance that your keys can just be read directly.
One of the things secure boot can do is lock down *read* access to your raw memory/kernel virtual memory to make it harder for someone to steal your secrets. It's not a secure as using a TPM ought to be, though.
And if you want to keep your key safe, you should really keep it in a removable hardware device. Leaving it on your hard drive, even with perms such that only root can read it isn't necessarily safe enough, sadly.
David