LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-06-2015, 06:47 PM   #46
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 9,157

Rep: Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983Reputation: 3983

Quote:
Originally Posted by Ulysses_ View Post
If it's more than one container, with different keys each container, then the passphrase has to stay in ram or you type it over and over every time you open yet another container.

You want to work with 3 containers
Typing the password an average of 3 times doesn't seem like an excessive burden in the context of what you're trying to build.
 
Old 01-06-2015, 06:51 PM   #47
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,164

Original Poster
Rep: Reputation: 45
But that is exposing the passphrase to keyloggers we said.
 
Old 01-07-2015, 03:19 AM   #48
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 89
Quote:
Originally Posted by Ulysses_ View Post
...with different keys each container, then the passphrase has to stay in ram or you type it over and over
Wrong: Keyfiles are an alternative to passphrases. Although they are named "key"files, they have nothing to do with the actual "key" but function exactly like passphrases. They are not in RAM the whole time, but are accessible through the local filesystem. If this is better or worse, your decision. If you run your browser with a different user account using

Code:
gksudo -u browseruser
you could protect the keyfiles from being read by the browser.

Both cryptsetup-luks and truecrypt can use keyfiles instead of passphrases or in addition to passphrases.
 
Old 01-07-2015, 05:18 AM   #49
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,164

Original Poster
Rep: Reputation: 45
Good idea, running the browser with another user account so as to hide the keyfile from malware coming from the browser.

We can do even better than that it seems with SELinux, otherwise it would not have been invented.

Last edited by Ulysses_; 01-07-2015 at 05:24 AM.
 
Old 01-07-2015, 05:50 AM   #50
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 89
Yes, SELINUX is probably even better if configured right. Though it needs more research to configure it right.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
could SystemTap be used by malicious person to steal ssh password easily ? wzis Linux - Security 4 05-03-2014 07:43 PM
how to specify password for sudo command when running bg process? sneakyimp Linux - Newbie 9 06-30-2010 02:14 PM
Freeing I/O resource held by zombie process kronesr Linux - Software 2 02-22-2010 11:29 AM
child process usses same amount of ram as parent process socialjazz Programming 7 10-19-2006 05:48 PM
Forward X / Steal a process sval Linux - General 0 12-30-2004 10:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration