3

SSH and GPG each ask for passphrases during key generation. GPG also (at least from my experience) displays warnings if one is not provided and asks for confirmation that no security is indeed desirable.

Thus, it would seem, it is important to provide such passphrases.

However, assuming full disk encryption, I can't really get why?

My (likely flawed) thinking is as follows. These are threats to private keys:

  • Device theft; but if someone steals a device that is powered off then FDE already protects me from this (at least until the thief is determined enough to apply rubberhose decryption on me);
  • Momentary physical access; but in this case I'm hosed either way;
  • My PC is compromised, someone managed to install malware on my device; but in this case, again, I'm hosed either way because I have a keylogger installed that steals my passphrase. And that's even if the attacker wasn't able to root my PC!

Thus, the only scenario I can think of when the passphrase can be any good is theft of a powered on device; then indeed the passphrase might save me; but I find such a scenario not very likely. On the other hand, having to reenter the passphrase each time I make a git commit or send e-mail is annoying.

What are the uses of passphrases protecting SSH / GPG private keys I'm not aware of?

gaazkam
  • 5,657
  • 11
  • 24
  • 38
  • While you might eventually notice that your system is compromised (key logger etc) you will not notice if the attacker has just copied your unprotected key because no changes are done to your system. – Steffen Ullrich Dec 09 '18 at 20:52
  • With FDE there's no strong reason. It does protect against accidental sharing and against basic malware that extracts a file but doesn't keylog. I asked [similar](https://security.stackexchange.com/questions/66839/how-to-decide-whether-to-password-protect-key-files-in-addition-to-full-disk-enc) in the past. – paj28 Dec 10 '18 at 08:47
  • @paj28 Of course there's a reason, even with FDE. Partitioning security systems is good. – forest Dec 10 '18 at 08:48
  • @forest - sure, partitioning is great. However, this is not a partition – paj28 Dec 10 '18 at 08:49
  • @paj28 I mean partition as in isolation and separation, not as in partition table. – forest Dec 10 '18 at 08:50

1 Answers1

2

  • An encryption key is kept in memory for as long as it is being used. For disk encryption, the key is necessarily present in memory for the time the encrypted partition is mounted (for FDE, this is the entire uptime of the computer). Encrypting private keys ensures that the sensitive key material will only be available for very brief periods. The chances that a passive physical attack (one where integrity is not violated) will occur within the brief period that a private key encryption key is in memory is very small.

  • An arbitrary disk read vulnerability or DAC bypass may allow a malicious local process to read disk contents, potentially including SSH or GPG keys. Full disk encryption does not mitigate this, but key encryption does.

  • A malicious program that passively reads from your disk and does not set up a keylogger would be able to bypass FDE, but could not decrypt private keys if they are encrypted. In some cases, it won't set up a keylogger because it simply can't, for example if it does not have access to the X11 cookie.

forest
  • 65,613
  • 20
  • 208
  • 262