[clug] SSH Public key auth + Encrypted home dir

Alex Satrapa alexsatrapa at mac.com
Thu Aug 27 00:29:18 MDT 2009

On 26/08/2009, at 12:00 , Robert Edwards wrote:

> Another approach I will get around to investigating one day is to have
> a whole encrypted VM in my home directory.

I have a particularly stupid setup where I keep a VMWare image inside  
an encrypted disk image on a WD Passport drive.

  WD Passport, "Alex's Box of Tricks":
   - Applications
     - VMWare Fusion.app
   - Stuff
   - Virtual Machines
     - Bank Terminal.dmg (encrypted disk image)
       - Alias to ../../Applications/VMWare Fusion.app
       - Bank Terminal.vmwarevm
     - ... other vmware images

If you try something similar, make sure you keep a copy of the virtual  
machine software on the same disk as all those encrypted disk images.

On the Mac I just have to make sure that I launch that version of  
VMWare Fusion by dragging the "Bank Terminal.vmwarevm" image onto the  
VMWare Fusion application on that drive, thus the alias to VMWare  
Fusion inside the encrypted disk image (you read that right, I use the  
GUI for more than just having a dozen terminal windows open).

I also experimented briefly with setting the disk image to read-only  
and copying it to a new version every time I wanted to log on and do  
stuff with my bank. But then I realised that all this messing about  
with virtual machines was dependent on my main OS being secure. So I  
just do my Internet Banking in Omniweb (Flash disabled by default) on  
the Mac. If someone had a keylogger installed, they'd get the details  
they want directly from the keyboard, who cares about infecting the  
one-use VM.

I can imagine that if one was trying to protect sensitive material  
which is not going to be read by the person sitting in front of the  
computer, the encrypted VM image would serve some purpose. So your CA- 
in-a-box could live there since the only stuff that transits the VM is  
your commands to create a new certificate, and the encrypted file  
carrying the private+public keys leaving through an ethernet interface  
or floppy disk. Remembering that the expected threat is a keylogger/ 
screen-grabber tracking every input to and output from that VM.

Enough of my blathering. I'm sure you have determined a dozen flaws in  
my plan and a dozen reasons why an encrypted VM makes sense.


More information about the linux mailing list