Somewhat OT, encryption question
Bruno Wolff III
bruno at wolff.to
Thu Nov 27 00:10:04 UTC 2014
On Wed, Nov 26, 2014 at 20:47:25 +0000,
Bill Oliver <vendor at billoblog.com> wrote:
>On Wed, 26 Nov 2014, Bill Oliver wrote:
>Actually, let me be more specific. Let's say I have data on a flash
>drive that is encrypted using gpg. We can even say the flash drive
>itself is encrypted.
>Now let's say that flash drive is stolen, lost, etc. *and* the
>passphrase is compromised. I want the data on the flash drive to be
>available *only on one computer* even if the passphrase is known.
If you don't need to decrypt data in the field, you can use public key
encryption. You won't be able to decrypt the data without the private key.
(Which you wouldn't have with you or the flash drive.)
TPMs provide a way to keep a secret on a computer that can't easily be
extracted (otherwise you could supply the data in an emulated environment).
I don't know if there is anything in Fedora for using say, luks with a
TPM in a way that prevents the TPM info from being sniffed in a similar
manner to how your passphrase is compromised. There has been some work
with using TPMs with luks, but I don't know how the process works.
Note, that if this scenario comes about because someone grabs you and
the flash drive, but not your computer, there could be dire consequences
to not being able to decrypt the drive. Particularly if the people holding
don't believe you, when you say you can't decrypt it.
More information about the users