trusted keyring storage
Fri, 17 Sep 1999 11:23:29 +0100
> Hi, I was just curious as to how most *nix users store their keys. I used
> to use PGP on Windows and considered it a pretty safe place to store my keys
> since it was a single-user OS... until more and more security flaws became
> revealed which would allow anyone to get at my keys anyway.
I run FreeBSD on a laptop and just store the secret keys as normal in
the filestore, with no other special precautions. Just the same as my
SSH keys, SSL Certificate Authority keys, &c, &c.
OTOH I *do* take all sorts of precautions over the laptop itself. It's
single-boot into FreeBSD (unless you have a PCCard floppy drive).
There's a BIOS password in use. FreeBSD has the "console" marked as
"insecure" so it won't boot into single-user mode without the "root"
password. *Nobody* else gets to use it. It runs with the bare minimum
of "listening" processes (syslog and SMTP) and these ports are blocked
by kernel packet filters. All other incoming calls are blocked as well
just-in-case. I *never* leave the machine switched on unattended.
> I have taken the necessary measures regarding permissions to protect my dir,
> keys, etc. and am quite familiar with security measures, but I still am a
> little weary of putting keyrings on any networked machine. I guess my real
> question is, "Am I being too paranoid?" :)
No. You can never be too paranoid. I don't consider myself absolutely
safe - it's a matter of risk assessment and balancing the time-and-
effort of increased security against the threat assessment and cost
of damage from a compromise. BTW: that laptop is not running at the
moment - it only gets run when it needs to!