[clue] simplifying linux/gpg encryption question?
David L. Anselmi
anselmi at anselmi.us
Fri Aug 10 20:18:19 MDT 2012
Mike Bean wrote:
> It might be a poor choice of words. Digital mortality, if you will? I
> took a job at a primarily UX/LX shop that uses certs/keys, rather then
> passwords to authenticate to the servers. But the computers are all
> laptops. It seems to me, the responsible thing to do if not using full
> disk encryption, is to AT LEAST encrypt my certs/keys.
Hmm. I think that if you do automatic encryption of files (by disk, directory, whatever) then full
disk encryption is probably the way to go. It shouldn't be hard--take a look at truecrypt. I just
got a Windows laptop using that and it's pretty easy.
Passwords have been obsolete for a long time (at least since people complained about the number they
had to manage for all their web sites, and I don't think containers like keypassx change that).
Certificates (public keys) are the way to go.
I'm generally dissatisfied with encrypted keys like SSH uses. I've done all of typing a passphrase
each use, agents, and unencrypted keys (on networks where that should be safer than usual). IMO the
right answer is smart cards. I demo'd some of that last meeting. I don't know how to do those
personally on Linux but it's the 21st century so if it isn't easy we should make that happen.
Probably use of smart cards isn't foolproof, but let's get everyone using them and then we can worry
about the fools.
Dave
More information about the clue
mailing list