ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: Ant tasks to encrypt or decrypt passwords from property files
Date Tue, 20 Jun 2006 10:27:28 GMT
Dominique Devienne wrote:
>> we would be interested in encrypting.
> 
> 
> But then it's a chicken-and-egg problem, no?
> 
> Where are you going to store the passwords to decrypt the passwords
> read from properties files? --DD


I keep my password properties out of SCM, in a bit of the filesystem 
that is NTFS encrypted FS. That is only semi-secure, but to make it 
better the NTFS encrypt keys are kept in the laptop's TPM. you'd need 
the secret TPM key to 0wn the system.

I dont think that is perfect because

-the TPM driver stores its secret key in the kernel mode driver memory 
and does not ask for it again when the laptop hibernates. That implies 
it gets stored to the hibernate file when the laptop goes into S5 state, 
when it should really erase all knowledge of the key before shutting 
down, and do it again on startup (in case the laptop did a battery 
criticical S0-S5 transition without telling the drivers).

-you have to assume that there is a back door in the TPM for 
governments. Why else would they let vista and osx ship with TPM 
integration?

-If the next bit of the UK RIPE act is turned on, it will allow the 
government to ask users for their private keys used for communications, 
and imprison you if you dont turn them over. I will have to use 
different keys for signing apps from ssh from PGP-emails.

-keystroke interceptors can get at your TPM password by subverting the 
OS or the keyboard controller CPU, which does of course keep all its 
firmware in the main BIOS.

Now, a USB memory stick with encrypted memory and a pin keypad on the 
stick, that would be secure storage.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message