Re: Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/10/19 1:04 PM, Kevin Kofler wrote:

Przemek Klosowski via devel wrote:

3) Multiple keys allow creating backup keys, preventing the data loss
scenario Kevin is worried about. Of course this assumes that the UX for
creating backup keys exists, and that people actually do that---but it's
possible in principle.

The backup key is useless in that scenario if you cannot export it to
another TPM, and isn't preventing such an export the whole point of the TPM
technology?
Of course, the primary private key cannot be extracted from the original TPM. The easiest key recovery scheme would have two encrypted copies of the media encryption keys, one encrypted with the TPM-secured key and another encrypted with the backup/recovery key that you keep in a separate 'enterprise' key backup system. Here's one paper describing TPM key backup/recovery: 

https://www.infineon.com/dgdl/Infineon-TPM_Key_Backup_and_Recovery-AP-v01_00-EN.pdf?fileId=db3a304412b407950112b41656d7203a



         Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7Cprzemek.klosowski%40nist.gov%7C0133d99d248a4045337e08d77d9b8251%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637115979168313120&sdata=6VVp5O2EJMhkeno925pm4C5L1Pg7B0QwFBmswkpxNRo%3D&reserved=0
List Guidelines: https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cprzemek.klosowski%40nist.gov%7C0133d99d248a4045337e08d77d9b8251%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637115979168313120&sdata=q2LQbyjb%2BhFHarqGyNt0RD7EYr7654XS3lhpgNJ66gw%3D&reserved=0
List Archives: https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fdevel%40lists.fedoraproject.org&data=02%7C01%7Cprzemek.klosowski%40nist.gov%7C0133d99d248a4045337e08d77d9b8251%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637115979168323115&sdata=RzErc5fsj71PqLBXvizU%2BuBH54KyyionG%2B9f1IB%2FsLU%3D&reserved=0


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux