[aur-general] [AUR4] Support of multiple ssh public keys
Giancarlo Razzolini
grazzolini at gmail.com
Fri Jun 12 19:15:12 UTC 2015
Em 12-06-2015 05:15, Remi Gacogne escreveu:
> I am not, but everything depends on your threat model. If you are
> targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed.
Which is why I use secureboot + TPM + this:
https://aur.archlinux.org/packages/mkinitcpio-chkcryptoboot/ and this:
https://aur.archlinux.org/packages/chkboot/
And I have plans to port the tails memory erase to archlinux.
>
> In addition to that, passphrase-protection on SSH keys has been weak for
> a long time, because a single MD5(IV || passphrase) is applied to
> generate the AES key used to encrypt the SSH key [1].
I'm aware of this, which is why I use Keepass + Keeagent, so not only my
key is encrypted inside the keepass database, it also has a very long
passphrase.
>
> OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default
> for ed25519 keys but not for RSA keys, so you may want to upgrade your
> keys to use the new KDF manually.
I rotate my keys at least twice a year. And now that keeagent supports
ed25519 keys, I probably will rotate more often.
Now, for the AUR, if it's a simple implementation, then I don't see why
not do it. Just I don't see much benefit in compartimentalizing your ssh
keys too much. Perhaps of for work and one personal will do.
Cheers,
Giancarlo Razzolini.
Cheers,
More information about the aur-general
mailing list