[aur-general] [AUR4] Support of multiple ssh public keys

Giancarlo Razzolini grazzolini at gmail.com
Fri Jun 12 19:15:12 UTC 2015

Em 12-06-2015 05:15, Remi Gacogne escreveu:
> I am not, but everything depends on your threat model. If you are
> targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed.
Which is why I use secureboot + TPM + this: 
https://aur.archlinux.org/packages/mkinitcpio-chkcryptoboot/ and this: 

And I have plans to port the tails memory erase to archlinux.
> In addition to that, passphrase-protection on SSH keys has been weak for
> a long time, because a single MD5(IV || passphrase) is applied to
> generate the AES key used to encrypt the SSH key [1].
I'm aware of this, which is why I use Keepass + Keeagent, so not only my 
key is encrypted inside the keepass database, it also has a very long 
> OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default
> for ed25519 keys but not for RSA keys, so you may want to upgrade your
> keys to use the new KDF manually.
I rotate my keys at least twice a year. And now that keeagent supports 
ed25519 keys, I probably will rotate more often.

Now, for the AUR, if it's a simple implementation, then I don't see why 
not do it. Just I don't see much benefit in compartimentalizing your ssh 
keys too much. Perhaps of for work and one personal will do.

Giancarlo Razzolini.


More information about the aur-general mailing list