[clug] SSH Public key auth + Encrypted home dir
alexsatrapa at mac.com
Thu Aug 27 00:29:18 MDT 2009
On 26/08/2009, at 12:00 , Robert Edwards wrote:
> Another approach I will get around to investigating one day is to have
> a whole encrypted VM in my home directory.
I have a particularly stupid setup where I keep a VMWare image inside
an encrypted disk image on a WD Passport drive.
WD Passport, "Alex's Box of Tricks":
- VMWare Fusion.app
- Virtual Machines
- Bank Terminal.dmg (encrypted disk image)
- Alias to ../../Applications/VMWare Fusion.app
- Bank Terminal.vmwarevm
- ... other vmware images
If you try something similar, make sure you keep a copy of the virtual
machine software on the same disk as all those encrypted disk images.
On the Mac I just have to make sure that I launch that version of
VMWare Fusion by dragging the "Bank Terminal.vmwarevm" image onto the
VMWare Fusion application on that drive, thus the alias to VMWare
Fusion inside the encrypted disk image (you read that right, I use the
GUI for more than just having a dozen terminal windows open).
I also experimented briefly with setting the disk image to read-only
and copying it to a new version every time I wanted to log on and do
stuff with my bank. But then I realised that all this messing about
with virtual machines was dependent on my main OS being secure. So I
just do my Internet Banking in Omniweb (Flash disabled by default) on
the Mac. If someone had a keylogger installed, they'd get the details
they want directly from the keyboard, who cares about infecting the
I can imagine that if one was trying to protect sensitive material
which is not going to be read by the person sitting in front of the
computer, the encrypted VM image would serve some purpose. So your CA-
in-a-box could live there since the only stuff that transits the VM is
your commands to create a new certificate, and the encrypted file
carrying the private+public keys leaving through an ethernet interface
or floppy disk. Remembering that the expected threat is a keylogger/
screen-grabber tracking every input to and output from that VM.
Enough of my blathering. I'm sure you have determined a dozen flaws in
my plan and a dozen reasons why an encrypted VM makes sense.
More information about the linux