fsebugoutzone.org:9999

       Post A47fSnhKOTbTc5k8fI by qwxlea@ioc.exchange
 (DIR) More posts by qwxlea@ioc.exchange
 (DIR) Post #A47eBB7WTG4t5f1qZE by kzimmermann@fosstodon.org
       2021-02-10T06:25:03Z
       
       0 likes, 0 repeats
       
       Is it considered bad practice create/use #PGP keys without a password? Points I&#39;m considering:-Many people already use #SSH keys without passwords (especially for automated processes).-SSH keys are often stored plaintext in the filesystem with the only thing protecting them being the filesystem permissions, whereas PGP ones are slightly more obfuscated through the keyring.Is it dangerous not to set up a password, then?Sincere #question
       
 (DIR) Post #A47fSnhKOTbTc5k8fI by qwxlea@ioc.exchange
       2021-02-10T06:39:09Z
       
       0 likes, 0 repeats
       
       @kzimmermann Passwordless ssh is not really &#39;passwordless&#39; as in: we chopped of half the security of the thing.To, for example login to a server with ssh bob@example.com, you would pre-share the public half of your ssh-key to that server. Then when you connect over ssh, the ssh-daemon will compare your public and private keys and then either let you in or block you. This is convenient and makes automation possible/easy. Locally, your key still has a pw.https://www.redhat.com/sysadmin/passwordless-ssh#security
       
 (DIR) Post #A47gWCPp3C0j63jur2 by darkstar@mastodon.nl
       2021-02-10T06:51:11Z
       
       0 likes, 0 repeats
       
       @kzimmermann Well, pgp is used as proof that a message is really from you, by signing it.So if you don&#39;t protect it with a strong passphrase, this proof becomes less reliable. If everyone stop using passphrases, the whole foundation under the trust system falls away. The same Line of thought goes for encryption. If I send you an encrypted email, I am sure that during transport it is protected from unauthorised access and I am sure only you can open it. Trust is important.
       
 (DIR) Post #A47kDcQKWo4K4fNAQq by teek_eh@aus.social
       2021-02-10T07:32:42Z
       
       0 likes, 0 repeats
       
       @kzimmermann If your hard drive is unencrypted and there&#39;s any chance it will be stolen by a thief determined to get at your key, then a strong password would a good idea. I always set a password &quot;just in case&quot;, but I always figured if someone has owned me sufficiently to read my homedir they&#39;re going to have no trouble capturing my keystrokes the next time I decrypt something.
       
 (DIR) Post #A47kIdlKygfBfsapqy by teek_eh@aus.social
       2021-02-10T07:33:38Z
       
       0 likes, 0 repeats
       
       @kzimmermann If your hard drive is unencrypted and there&#39;s any chance it will be stolen by a thief determined to get at your key then a strong password would be a good idea. I always set a password &quot;just in case&quot; but figured if someone has owned me sufficiently to read my homedir they&#39;re going to have no trouble capturing my keystrokes the next time I decrypt something.
       
 (DIR) Post #A47ygTKEphiJc3AxLU by fedops@fosstodon.org
       2021-02-10T10:14:48Z
       
       0 likes, 0 repeats
       
       @kzimmermann passwordless keys are a bad idea. If you want to use a PGP key to prove your identity it needs to be protected, e.g. by a passphrase or a token.There are solutions for all sorts of automation around SSH without resorting to passwordless keys. SSH agent, Ansible vault, ...