WDef
Group: Members
Posts: 798
Joined: Sep. 2005 |
 |
Posted: July 05 2006,10:15 |
 |
This has confused a few others as well in the past so you're not alone.
You enter the password twice during bootup not only to decrypt an existing encrypted backup but also to set the password to encrypt your next backup - the password is written to a file /etc/sysconfig/des and this is read when the backup is made.
It's clearly a good idea to check the password typing for consistency before saving it to this file otherwise a simple typo might render your backup un-decryptable. Hence typing it in twice.
I suppose it might be slightly clearer if the script returned an error message "You typed 2 different passwords" or something if you type the password differently each time.
The scripts could also be changed (I suppose) to only prompt for the password twice if an encrypted backup were found, but it's unnecessary complexity and there's no harm in a typing consistency check for decryption.
One point to note is that saving the password in plaintext to a file is a potential vulnerability of this type of scheme - should you be on a network and get hacked, the attacker might just read your password. At one point I suggested that this file be made only readable by root (600 perms) but that won't help that much since user dsl can sudo su to root. As with all encryption, if high security is needed it's better not to use it while connected to any network (inc the internet of course).
It's also worth noting that the password needs to be longer than 8 chars or something, else you are not encrypting with triple des but only with single des, which is broken. Don't use single des.
|
.
DSL Market ,
Great VPS hosting provided by Tektonic
