/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backup encryption passphrase is exposed to dom0 process list #1582

Closed
mig5 opened this Issue Jan 4, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@mig5 @marmarek @andrewdavidwong
@mig5

mig5 commented Jan 4, 2016 

# ps aux | grep openssl | grep -v grep

miguel    5434  0.2  0.0  40560  4628 ?        S    08:03   0:00 openssl enc -e -aes-256-cbc -pass pass:this should not be seen
miguel    5436  0.0  0.0  40552  4604 ?        S    08:03   0:00 openssl dgst -SHA512 -hmac this should not be seen

Although user has a bigger problem if a malicious actor is watching the dom0 process list with ps or top or similar, I think it would be better to use a file descriptor (is this useful example? https://gist.github.com/morgant/9220139)

Maybe also related to #1523 and #971

@marmarek marmarek added bug C: core P: minor labels Jan 4, 2016

@marmarek marmarek added this to the Release 3.0 updates milestone Jan 4, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 6, 2016

Member

While openssl enc can be easily fixed, openssl dgst doesn't support alternative passphrase sources.
Member

marmarek commented Jan 6, 2016

While openssl enc can be easily fixed, openssl dgst doesn't support alternative passphrase sources.

@defuse defuse referenced this issue May 6, 2016

Closed

Improve qvm-backup key derivation/management #971

@marmarek marmarek modified the milestones: Release 3.0 updates, Release 3.1 updates Nov 19, 2016

@marmarek marmarek referenced this issue Apr 26, 2017

Closed

Backup: do not pass passphrases on cmd line #2777

@andrewdavidwong andrewdavidwong modified the milestones: Release 3.1 updates, Release 3.2 updates May 31, 2017

@marmarek marmarek modified the milestones: Release 4.0, Release 3.2 updates Jul 20, 2017

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 20, 2017

Member

Fixed in Qubes 4.0 (thanks to scrypt instead of openssl usage).
Member

marmarek commented Jul 20, 2017

Fixed in Qubes 4.0 (thanks to scrypt instead of openssl usage).

@marmarek marmarek closed this Jul 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment