I find it hard to live without Keychain on my workstations. It makes adding and managing keys for ssh-agent a no-brainer. But along with that ease of use comes a risk: as long as the key(s) have been decrypted then anyone that gains access to your account can access the same systems you can with your keys.
When I remembered, I would use ’ssh-add -x’ to lock the agent if I knew I would be away for while, but that has obvious problems for someone with a memory such as mine, it also doesn’t protect from an intruder accessing the system unbeknownst even while you are using it.
This is exactly what the ‘–clear’ option for Keychain solves. It adds a bit of an inconveniece to the user as he or she now needs to enter the password for the key(s) every time a new session is started, but it will prevent any unauthorized guests from accessing your unencrypted private keys.
Filed under: security , keychain, security, ssh
I have an external USB drive that I have been putting backups of my workstation on using Rsnapshot. It’s been bugging me for a while that it would be so easy for an intruder to grab it and be off with all my data. Encryption to the rescue.
I have been using EncFS for a couple of other things and realized it would be quite easy to set up for this situation. I won’t go into the details of setting that up since it has been covered in many places.
Anyhow, I thought it would be a simple matter of setting up the Encfs file system, rsyncing the old backups to the new encrypted file system and letting the backups continue. Life is never so simple. During the rsyncing I was getting errors about failed link operations. (I chose the use the -H option to preserve hardlinks since that’s part of what makes using rsnapshot so great.)
I was quite baffled by this. Initially I thought it was a bug or a deficiency with EncFS or FUSE. A bit of digging about and I realized that going with the “pre-configured paranoia mode” enables this thing called External IV Chaining. In simple terms this ties the file contents to the file name and in turn prevents hard linking. The man page for EncFS explains this in more detail.
Solution: re-setup the encrypted file system selecting the “expert configuration mode” and disabing External IV Chaining.
Now the data on my external drive is visible only with the correct password. Go ahead, steal it!
Filed under: linux, security , backups, encryption, fuse, security
