On Fri, 10 Jan 2003 13:45:07 EST, Andrew MacKenzie <andyat_private> said: > If the passphrase were to be entered by hand, say at boot time or some > such, would the security gain be much greater (depending on the strength of > the passphrase of course)? Is a brute force attack on the passphrase the > only reasonably possible means by which one can decrypt the data? This will close the problem of recovering a ready-to-use key from some server.conf file on disk. This will almost certainly stop Joe ScriptKid, and put a severe crimp in the plans of most inside attackers. However, there's still holes here - if the attacker gets access to the server's UID, they can do something like: % gdb your.server -p NNNNN (or whatever flags your debugger uses) gdb> print *pgpkey <lots of output skipped>. and then use that to reconstruct the key. Removing gdb doesn't help much, as the attacker can still run custom code that can use ptrace() and friends. If they break root (or whatever is needed to read /dev/kmem and /dev/swap) they can go scavenging there.... The important question is, of course, what you assess the chances that you will have a motivated attacker of that caliber targeting you. And only your site can evaluate what they think the risk model should be... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 11:35:07 PST