DSL Embedded :: Security on thumb drive



I understand that part WDef. Thank's for the response. I just can't remember any other instance of this. Most things ask for a password twice when you setup or change it to verify you know what you typed, then only once after that. Asking twice for every login seemed wrong to me. If this is the way it is intended to be and that is the way it is working for me then all is well. It just seems awkward.

David
This has confused a few others as well in the past so you're not alone.

You enter the password twice during bootup not only to decrypt an existing encrypted backup but also to set the password to encrypt your next backup - the password is written to a file /etc/sysconfig/des and this is read when the backup is made.

It's clearly a good idea to check the password typing for consistency before saving it to this file otherwise a simple typo might render your backup un-decryptable. Hence typing it in twice.

I suppose it might be slightly clearer if the script returned an error message "You typed 2 different passwords" or something if you type the password differently each time.

The scripts could also be changed (I suppose) to only prompt for the password twice if an encrypted backup were found, but it's unnecessary complexity and there's no harm in a typing consistency check for decryption.

One point to note is that saving the password in plaintext to a file is a potential vulnerability of this type of scheme - should you be on a network and get hacked, the attacker might just read your password. At one point I suggested that this file be made only readable by root (600 perms) but that won't help that much since user dsl can sudo su to root. As with all encryption, if high security is needed it's better not to use it while connected to any network (inc the internet of course).

It's also worth noting that the password needs to be longer than 8 chars or something, else you are not encrypting with triple des but only with single des, which is broken.  Don't use single des.
Thank's WDef that helps explain things for me. It is a good tip on the 8 character password. Is this feature documented anywhere? I have searched about and not found any.

David
I don't know if it's documented.

The 8 char threshold for triple des  (if my memory serves me correctly) is stated in the des command's help output.

original here.