Re: Somewhat OT, encryption question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 11/26/2014 07:10 PM, Bruno Wolff III wrote:

On Wed, Nov 26, 2014 at 20:47:25 +0000,
 Bill Oliver <vendor@xxxxxxxxxxxxx> wrote:

On Wed, 26 Nov 2014, Bill Oliver wrote:

Actually, let me be more specific.  Let's say I have data on a flash
drive that is encrypted using gpg.  We can even say the flash drive
itself is encrypted.

Now let's say that flash drive is stolen, lost, etc. *and* the
passphrase is compromised.  I want the data on the flash drive to be
available *only on one computer* even if the passphrase is known.
If you don't need to decrypt data in the field, you can use public key encryption. You won't be able to decrypt the data without the private key. (Which you wouldn't have with you or the flash drive.)
NOBODY encrypts lots of data with asymmetric cryptography. Rather, using RSA say, you create a random AES key, encrypt the data with that, THEN encrypt the little key data with the public key.
If your private key is on a USB dongle with your software supporting it, it all works together.
TPMs provide a way to keep a secret on a computer that can't easily be extracted (otherwise you could supply the data in an emulated environment). I don't know if there is anything in Fedora for using say, luks with a TPM in a way that prevents the TPM info from being sniffed in a similar manner to how your passphrase is compromised. There has been some work with using TPMs with luks, but I don't know how the process works.
But you really need a trusted OS to use the TPM properly. With signed code and so forth. Yes, if you have software that stores your keys in the TPM, other, untrustworthy software could interceed. Thus you really want a trust chain if you are going for a TPM approach.
Note, that if this scenario comes about because someone grabs you and the flash drive, but not your computer, there could be dire consequences to not being able to decrypt the drive. Particularly if the people holding don't believe you, when you say you can't decrypt it.
Oh, it can get worst than that. If you get stopped in US customs, they can legally require you show them what you are bringing in. People have spent some time in jail working out that they have protection from exposing what they are carrying. Just be prepared to be stopped or use only microSD cards that you hide very well... 

Are you paranoid enough?


--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux