> > Storing your ssh private key encrypted such that even someone who > > completely compromises your system can't get the actual private key > > Well, if someone gets root on my system, he can get my ssh private > key.... right? Potentially not. If you are using a TPM or other TEE (such as SGX) they can't because the authentication is done from within the TEE. They may be able to hack your box and use the TEE to login somewhere but not to get the key out. Stopping the latter requires a TEE with its own secure input keypad (like some of the USB dongles) Other uses might be things like keeping a copy of the rpm database so you can ask the TEE if the database you have right now happens to match the one you signed as authentic. I suspect there are lots of interesting things that can be done with dm_crypt and also IMA in this area too. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html