On Wed, Nov 26, 2014 at 20:47:25 +0000, Bill Oliver <vendor@xxxxxxxxxxxxx> wrote:
On Wed, 26 Nov 2014, Bill Oliver wrote: Actually, let me be more specific. Let's say I have data on a flash drive that is encrypted using gpg. We can even say the flash drive itself is encrypted. Now let's say that flash drive is stolen, lost, etc. *and* the passphrase is compromised. I want the data on the flash drive to be available *only on one computer* even if the passphrase is known.
If you don't need to decrypt data in the field, you can use public key encryption. You won't be able to decrypt the data without the private key. (Which you wouldn't have with you or the flash drive.)
TPMs provide a way to keep a secret on a computer that can't easily be extracted (otherwise you could supply the data in an emulated environment). I don't know if there is anything in Fedora for using say, luks with a TPM in a way that prevents the TPM info from being sniffed in a similar manner to how your passphrase is compromised. There has been some work with using TPMs with luks, but I don't know how the process works.
Note, that if this scenario comes about because someone grabs you and the flash drive, but not your computer, there could be dire consequences to not being able to decrypt the drive. Particularly if the people holding don't believe you, when you say you can't decrypt it.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
