Somewhat OT, encryption question

Bruno Wolff III bruno at
Thu Nov 27 00:10:04 UTC 2014

On Wed, Nov 26, 2014 at 20:47:25 +0000,
  Bill Oliver <vendor at> wrote:
>On Wed, 26 Nov 2014, Bill Oliver wrote:
>Actually, let me be more specific.  Let's say I have data on a flash
>drive that is encrypted using gpg.  We can even say the flash drive
>itself is encrypted.
>Now let's say that flash drive is stolen, lost, etc. *and* the
>passphrase is compromised.  I want the data on the flash drive to be
>available *only on one computer* even if the passphrase is known.

If you don't need to decrypt data in the field, you can use public key 
encryption. You won't be able to decrypt the data without the private key. 
(Which you wouldn't have with you or the flash drive.)

TPMs provide a way to keep a secret on a computer that can't easily be 
extracted (otherwise you could supply the data in an emulated environment). 
I don't know if there is anything in Fedora for using say, luks with a 
TPM in a way that prevents the TPM info from being sniffed in a similar 
manner to how your passphrase is compromised. There has been some work 
with using TPMs with luks, but I don't know how the process works.

Note, that if this scenario comes about because someone grabs you and 
the flash drive, but not your computer, there could be dire consequences 
to not being able to decrypt the drive. Particularly if the people holding 
don't believe you, when you say you can't decrypt it.

More information about the users mailing list