>> If my system password is not unknown to others then my encryption >> password is probably no good either. I think root has to be trusted in >> most cases. I would be interested to hear any arguments that "only >> mount[ing] the encrypted, potentially sensitive stuff when you need it" >> would be more secure than unmounting encrypted volumes a login time >> (assuming a strong system authentication token). > If I have a different password, there is no representation of it on disk > (like crypt() or MD5 hashes of a login password). There's a reason my > PGP pass phrase is different from my login password as well ;-). If one > is compromised, the other isn't. As I mentioned, I am assuming a strong system authentication token. As you mention, storing MD5 hashes on disk is not a strong system authentication token. But I'm sure one could produce a technique for storing passwords on disk that would be as difficult to decipher as performing a known plain text attack on your on-disk encrypted data. I would also argue that if I have access to your account than I eventually have access to your PGP keys. I can install something in .bash_profile and I can read your process memory, right? I suppose that one could argue that all these passphrases and passwords are a defense in depth technique, but here is a fundamental problem: your system authentication token says to the system "this is me" and if that is not the case then all else is eventually doomed. -- Mike
