Hello Emilien, thanks for your reply, and sorry for my late answer.
> Gesendet: Montag, 24. November 2014 um 12:24 Uhr > Von: "Emilien Klein" <emilien+gnuhealth....@klein.st> > An: health-dev@gnu.org > Betreff: Re: [Health-dev] Build encyption example into live-CD? [...] > > But back to the original question....obstacles against a demo-key? > > Shipping crypto keys, in particular if private keys is involved, isn't > good practice. [...] > For GNU Health's live CD, if possible the keys should be generated on > the fly the first time it is run. > > Would something like this be possible? > A script is set up to run when the system starts up (using @reboot in > cron), which will check if the keys exist. > If keys do not exist, the key generation command is launched. > If keys exist, do nothing. That should be possible, although the Gnupg batch mode creation of keys is flagged as 'experimental'. But thats a different story. > This will have a very minimal performance impact starting with the > second boot sequence, and ensures everyone has unique keys. This 'advantage' is as well a disadvantage if the users runs the Live-CD from a writeable medium (USB-stick, VM-instance), as he would always get a new key, and no good live example / demo can be created for this reason. (Target audience was the less experienced user!) > Reason why shipping keys wouldn't be a good idea: > Even if this only a demo system, you can be assured that at least > someone, somewhere, maybe with limited sysadmin skills or knowledge of > encryption, will test the demo live-CD, be so enthused by it that it > will use that as the basis for their production system. > As in "Hey, what the heck, if it works nicely out of the box, and I've > read that this "Linux" thing is secure, since I don't know much about > it I'll just run the Live CD that is officially published. It has to > be secure, right?". > > And then when patient information is stolen from their PRD system, the > only thing we'll be able to help with is send reproaches: "you > shouldn't have done that, haven't you followed all the instructions on > the wiki?" (once it's updated ;) ) That's not very helpful to our > users, and even less to their patients who have their private medical > information floating around. > > Better be safe than sorry. If it's difficult for us, but easy for > them, we should take the extra step and have the keys be generated on > the fly instead of shipping the same keys to everybody. > > Let me know if you think this doesn't make sense. Indeed, esp the risk of using a Live-VM-instance as production system is a valid scenario. Considering this, I feel it is better to have everything packed in the Live-CD and a good explanation how to create a pair of keys and use it with GNUHealth, rather than shipping a working example. And a set of keys. Thanks for all your discussion input Axel
