Musings about on-disk encryption in Fedora Core

[mike at flyn.org]

>> If my system password is not unknown to others then my encryption  
>> password is probably no good either.  I think root has to be trusted in  
>> most cases.  I would be interested to hear any arguments that "only  
>> mount[ing] the encrypted, potentially sensitive stuff when you need it"  
>> would be more secure than unmounting encrypted volumes a login time  
>> (assuming a strong system authentication token).
 
> If I have a different password, there is no representation of it on disk
> (like crypt() or MD5 hashes of a login password). There's a reason my
> PGP pass phrase is different from my login password as well ;-). If one
> is compromised, the other isn't.

As I mentioned, I am assuming a strong system authentication token.  As you
mention, storing MD5 hashes on disk is not a strong system authentication
token.  But I'm sure one could produce a technique for storing passwords on
disk that would be as difficult to decipher as performing a known plain text
attack on your on-disk encrypted data.

I would also argue that if I have access to your account than I eventually
have access to your PGP keys.  I can install something in .bash_profile and I
can read your process memory, right?

I suppose that one could argue that all these passphrases and passwords are a
defense in depth technique, but here is a fundamental problem: your system
authentication token says to the system "this is me" and if that is not the
case then all else is eventually doomed.

--
Mike