On 12/4/19 5:25 AM, John M. Harris Jr wrote:
Network based decryption keys are possible, but I don't recommend it, because
there's no way to determine that the user booting up the system is actually
meant to have access to the data that's on it.
There are two distinct thread models :
- stolen/lost laptop: I think this is the most important one for most
people; it is mitigaged by a trusted-network-based decryption, unless
the device is in unencrypted sleep mode and the new 'beneficial owner'
manages to read the disk before the system goes down.
- someone breaks into your home/office/hotel room and extracts the data:
important to some people but not very common scenario.
You are correct that it's hard to mitigate both of those threats, but I
think the first one is the primary concern.
To be clear, I was suggesting a network scheme where your device
authenticates from e.g. a trusted subnet to a known server IP with a
specific certificate associated with this IP. To defeat this, you can't
just set up a a fake IP network ---you would have to somehow break into
(physically or at least electronically) the trusted subnet.
By the way, as I said. Android/IOS solved those issues by having a
secure boot process, so the OS can fully boot and will keep the secrets
until local ( or possibly remote) authentication. So this is a solved
problem, and perhaps we should be looking into securing the full boot
process instead of trying to mitigate threats resulting from the holes
in it.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
