[Nottingham] gpgpwd - keeping a commandline passwords list

Mike Cardwell nlug at lists.grepular.com
Tue Jun 19 08:49:27 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 18/06/12 22:41, James Moore wrote:

>> I don't think that the clipboard is ever synced to disk...
>> Unless you're thinking of swap? Anyway, I already use full disk
>> encryption and don't have a swap partition so I should be ok.
>> 
> FDE works on the swap partition as well (as long as it's on the
> same LVM stack or physical disk as the root partition).

It can be configured to do that yes. But I have an SSD and was
thinking about wear levelling as well as security.

> Apart from that, in my experience you can encrypt the swap
> partition in Windows 7 with no third party software, but I prefer
> to use something like TrueCrypt and give it the whole brick. Triple
> cascade, 256-bit AES-Twofish-Serpent using XTS method and Whirlpool
> hash. With the passphrase I use on my netbook, that's 6.8x10^144
> P90-years of bruteforce strong, there is no recovery disc
> (deliberately) and the only place the passphrase exists is in my
> head.

You're still subject to cold boot, evil maid and DMA through Firewire
etc attacks though of course -
https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks

> The (Windows) clipboard cache is usually in a reserved space in
> RAM, though it is treated like any other part of the RAM subsystem
> and cached to disk on occasion, such as when the system runs out of
> memory. Most word processors (read: typesetters) create temporary
> files when there is something in the clipboard cache, which contain
> a format-compatible copy of whatever's in the clipboard. All this
> does is speed up the pasting process (though with the speed of
> systems these days it's a bit redundant I think so it's a "feature"
> that should be deprecated for security's sake).

Lets just assume that Windows is insecure and stick to Linux ;) If I
were running a Windows machine it would definitely be sat on top of
TrueCrypt FDE.

> On topic, I can't quite see the logic in encrypting just one or two
>  files, particularly on a portable system, rather than locking the
> entire disk so without the proper credentials there is no way
> whatsoever to gain any useful information. Maybe it's just me.

Performance. Although a modern CPU with AES-NI instructions fixes that.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJP4D1vMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBJo5B/9kqQMuRVFT
mfDMTv3RDsDEsiTvLVRv23LF++Z/SMaKJ15U6htrWH0TqNc9Q2XW/jxgLAvrM8xF
+lSNBakEzLT3CvRBiueHi0QG1Nn7nTG0+5KK3ksIlXUeZcUJ5xPa1Vs+rCPnI3Bs
jctmssZz8Dme3O9yJv8tGu5YYYmm6pYrxTPLrUJzX+0MIp0EjV6jN/oCCc8qdpFA
WttmVsFiyMLx+rglWX3XOhXFIorJCE3CCH0YHjj3Cbyd702gwJ+xJM8FoDfVv/BG
1mf+5/+UmLxsGrIFQgWkXQ8vGvfdAEB2BGDpMvyb2w1ycHjC3ljv0uUdf60pgoV4
eUrKE0bQLScF
=zib+
-----END PGP SIGNATURE-----



More information about the Nottingham mailing list