ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Levy-Lambert" <anto...@gmx.de>
Subject Re: Re: Ant tasks to encrypt or decrypt passwords from property files
Date Tue, 20 Jun 2006 13:50:52 GMT
Hello Steve,

the real issue are password properties for systems which interface with several systems and
logon automatically to databases, real time buses, web services, ...

These systems usually do not run on laptops.

The practical truth which I have often seen are that password properties are simply in clear
text on file system. Often they are also in SCM, with SCM protections making sure that only
the people in charge of maintaining these properties can see them. 

Regards,

Antoine


-------- Original-Nachricht --------
Datum: Tue, 20 Jun 2006 11:27:28 +0100
Von: Steve Loughran <stevel@apache.org>
An: Ant Users List <user@ant.apache.org>
Betreff: Re: Ant tasks to encrypt or decrypt passwords from property files

> Dominique Devienne wrote:
> >> we would be interested in encrypting.
> > 
> > 
> > But then it's a chicken-and-egg problem, no?
> > 
> > Where are you going to store the passwords to decrypt the passwords
> > read from properties files? --DD
> 
> 
> I keep my password properties out of SCM, in a bit of the filesystem 
> that is NTFS encrypted FS. That is only semi-secure, but to make it 
> better the NTFS encrypt keys are kept in the laptop's TPM. you'd need 
> the secret TPM key to 0wn the system.
> 
> I dont think that is perfect because
> 
> -the TPM driver stores its secret key in the kernel mode driver memory 
> and does not ask for it again when the laptop hibernates. That implies 
> it gets stored to the hibernate file when the laptop goes into S5 state, 
> when it should really erase all knowledge of the key before shutting 
> down, and do it again on startup (in case the laptop did a battery 
> criticical S0-S5 transition without telling the drivers).
> 
> -you have to assume that there is a back door in the TPM for 
> governments. Why else would they let vista and osx ship with TPM 
> integration?
> 
> -If the next bit of the UK RIPE act is turned on, it will allow the 
> government to ask users for their private keys used for communications, 
> and imprison you if you dont turn them over. I will have to use 
> different keys for signing apps from ssh from PGP-emails.
> 
> -keystroke interceptors can get at your TPM password by subverting the 
> OS or the keyboard controller CPU, which does of course keep all its 
> firmware in the main BIOS.
> 
> Now, a USB memory stick with encrypted memory and a pin keypad on the 
> stick, that would be secure storage.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message