Continuing the adventure with password changes.

After having to change my Fedora passwords/keys last week, I went about changing pretty much every other password I had too.
In doing so, I realised something enlightening. (read as: I'd made a horrific novice mistake).

I knew I'd committed the sin of writing down passwords for certain things. But "ah, I'll just encrypt the file and it'll be ok" was in hindsight pretty dumb. What I had done though was this..


gpg password.txt.gpg
vi password.txt
gpg -e password.txt


GAME. OVER.

Encrypting this file was utterly pointless. If my computer had been stolen, all an attacker would have had to do to see the contents of that file was strings /dev/sda and it would have found the plaintext password.txt easily enough.

Had I done the above operation in tmpfs, and moved the resulting .gpg file to hard disk afterward, I would have been okay. But because I'm a dumbass, I'd done the above directly on hard disk. Numerous times.

Tools like scrub exist to scribble over a file before it gets erased, but they wouldn't have helped me in the situation above, as it's gpg that removes the original unencrypted file. Also, scrub isn't necessarily reliable on a journalled filesystem.

What I really needed is a 'scrub unused data blocks' utility. In the absence of such a utility, I did dd if=/dev/zero of=/dev/sda and reinstalled. (It was long overdue a fresh reinstall anyway).

Syndicated 2008-08-25 16:06:04 from Dave Jones recollection of stuff that happened.