Re: Hibernation and secret keys

2009-06-23 Thread Werner Koch
On Tue, 23 Jun 2009 16:55, ds...@jabberwocky.com said: > If possible, I'd also add a pause for running gpg processes to exit to > cover a small race condition. Even if the passphrase cache is wiped, > if there is a running gpg process at suspend time, secret material > could still be caught in th

Re: Hibernation and secret keys

2009-06-23 Thread David Shaw
On Jun 23, 2009, at 7:28 AM, Werner Koch wrote: On Sun, 21 Jun 2009 00:10, t.e...@yahoo.com said: So, here is the question: Is is possible to secure gpg (or PGP or TrueCrypt for that matter) on a Windows system? If you have the ability to run a program if hibernation kicks in, you may want

Re: Hibernation and secret keys

2009-06-23 Thread Werner Koch
On Sun, 21 Jun 2009 00:10, t.e...@yahoo.com said: > So, here is the question: Is is possible to secure gpg (or PGP or TrueCrypt > for that matter) on a Windows system? If you have the ability to run a program if hibernation kicks in, you may want to run: gpgconf --reload gpg-agent That delet

Re: Hibernation and secret keys

2009-06-22 Thread Robert J. Hansen
t eden wrote: > So, here is the question: Is is possible to secure gpg (or PGP or > TrueCrypt for that matter) on a Windows system? The word "secure" is meaningless except in a carefully defined context. What does "secure" mean to you? Define the word and then people can give their own two cents

Re: Hibernation and secret keys

2009-02-16 Thread Christoph Anton Mitterer
On Mon, 2009-02-16 at 09:19 +0100, Werner Koch wrote: > They will use a hardware logger and don't care about any encrypted > stuff > in your pocket. Of course this is possible,.. but perhaps only for someone more powerful. (NSA could perhaps even replace your CPU with one that has an additional OS

Re: Hibernation and secret keys

2009-02-16 Thread Werner Koch
On Fri, 13 Feb 2009 19:30, em...@sven-radde.de said: > "They" will have difficulties installing a keylogger if the unencrypted > /boot is always in your pocket and the HDD contains just encrypted > gibberish. They will use a hardware logger and don't care about any encrypted stuff in your pocket.

Re: Re: Hibernation and secret keys

2009-02-13 Thread Christoph Anton Mitterer
On Fri, 2009-02-13 at 19:30 +0100, Sven Radde wrote: > "They" will have difficulties installing a keylogger if the unencrypted > /boot is always in your pocket and the HDD contains just encrypted > gibberish. Correct :-) > I wonder when Linux will be able to utilize a TPM to integrity-protect > /

Re: Re: Hibernation and secret keys

2009-02-13 Thread Sven Radde
Hi! Michael Kesper schrieb: >> Of course. The idea is that you can encrypt everything but the kernel >> +initrd, which is needed in order to decrypt the partition (better said, >> to set up the dm-crypt mapping). >> And an USB stick could be always with you. > > What is the additional gain to hav

Re: Hibernation and secret keys

2009-02-13 Thread Christoph Anton Mitterer
On Fri, 2009-02-13 at 10:58 +0100, Michael Kesper wrote: > What is the additional gain to having an unencrypted /boot partition on > the same device? What do you mean? > As I see it, only "boring" data gets ever written in > cleartext to the harddrive then. But even this data is sensitive, as one

Re: Hibernation and secret keys

2009-02-13 Thread Michael Kesper
Hi, On Thu, Feb 12, 2009 at 06:40:22PM +0100, Christoph Anton Mitterer wrote: > On Thu, 2009-02-12 at 00:09 +0100, Ingo Klöcker wrote: > > USB stick and secure? :-) > > Of course. The idea is that you can encrypt everything but the kernel > +initrd, which is needed in order to decrypt the partit

Re: Hibernation and secret keys

2009-02-12 Thread Christoph Anton Mitterer
On Thu, 2009-02-12 at 00:09 +0100, Ingo Klöcker wrote: > On Wednesday 11 February 2009, Christoph Anton Mitterer wrote: > > On Wed, 2009-02-11 at 22:37 +0100, Ingo Klöcker wrote: > > > > Your machine suspends, and writes a snapshot of its memory to > > > > disk. Sure, let's say it's even encrypted.

Re: Re: Hibernation and secret keys

2009-02-12 Thread Sven Radde
Hi! David Shaw schrieb: > Hence the > question: "When you wake the machine, is the encrypted disk still > mounted?" See the last paragraph of : "Finished. During boot the

Re: Hibernation and secret keys

2009-02-11 Thread Ingo Klöcker
On Wednesday 11 February 2009, David Shaw wrote: > On Wed, Feb 11, 2009 at 10:37:43PM +0100, Ingo Kl?cker wrote: > > On Wednesday 11 February 2009, David Shaw wrote: > > > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton > > > Mitterer > > > > wrote: > > > > A good workaround is to use dis

Re: Hibernation and secret keys

2009-02-11 Thread Ingo Klöcker
On Wednesday 11 February 2009, Christoph Anton Mitterer wrote: > On Wed, 2009-02-11 at 22:37 +0100, Ingo Klöcker wrote: > > > Your machine suspends, and writes a snapshot of its memory to > > > disk. Sure, let's say it's even encrypted. When you wake the > > > machine, is the encrypted disk still

Re: Hibernation and secret keys

2009-02-11 Thread Christoph Anton Mitterer
On Wed, 2009-02-11 at 17:00 -0500, David Shaw wrote: > If the answer is "Yes", then you're not protecting very much. You did > not succeed in doing what you were trying to do. If the answer is > "No", you at least avoided the usual pitfalls. Yep,... you're right =) It should be really possibly t

Re: Hibernation and secret keys

2009-02-11 Thread David Shaw
On Wed, Feb 11, 2009 at 10:37:43PM +0100, Ingo Kl?cker wrote: > On Wednesday 11 February 2009, David Shaw wrote: > > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer > wrote: > > > A good workaround is to use disk encryption (dm-crypt or similar > > > things). > > > > Encrypted d

Re: Hibernation and secret keys

2009-02-11 Thread Christoph Anton Mitterer
On Wed, 2009-02-11 at 22:37 +0100, Ingo Klöcker wrote: > > Your machine suspends, and writes a snapshot of its memory to disk. > > Sure, let's say it's even encrypted. When you wake the machine, is > > the encrypted disk still mounted? > > Obviously not. Why? This IS of course possible... Of c

Re: Hibernation and secret keys

2009-02-11 Thread Ingo Klöcker
On Wednesday 11 February 2009, David Shaw wrote: > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer wrote: > > A good workaround is to use disk encryption (dm-crypt or similar > > things). > > Encrypted disks don't help without serious OS support around suspend. Obviously. > Y

Re: Hibernation and secret keys

2009-02-11 Thread David Shaw
On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer wrote: > A good workaround is to use disk encryption (dm-crypt or similar things). Encrypted disks don't help without serious OS support around suspend. Your machine suspends, and writes a snapshot of its memory to disk. Sure, let'

Re: Hibernation and secret keys

2009-02-11 Thread Christoph Anton Mitterer
A good workaround is to use disk encryption (dm-crypt or similar things). Best wishes, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hibernation and secret keys

2009-02-11 Thread Werner Koch
On Wed, 11 Feb 2009 02:17, ds...@jabberwocky.com said: > GPG does have some countermeasures against this sort of thing, but > given the nature of the problem, they are far from infallible. For example you can send a HUP to gpg-agent from a suspend event script. This makes sure that gpg-agent clea