For decades, we have assumed our local computing devices are a safe place to store digital secrets. Most software, systems and security protocols make this assumption. But lately, I have been having doubts and I’m really not sure how to safely use a system that others may compromise at any time.
Linux as an example
/home/user with 700 perms is mine and mine only, right? Root could mess about there (obviously), but when I’m the only user with the root password, that’s no real concern.
And for ages, Linux software packages have assumed that /home/user is a safe place to store secrets.
Folders in /home/user such as .ssh, .gnupg, .aws (and many others) store plaintext or encrypted secrets. My .bashrc file contains secrets such as DB connection strings, API keys and others that are accessible as environmental variables (got to keep those secrets out of git repositories).
But what if…
Say sophisticated cyber criminal gangs (or governments) can compromise my systems and read my /home files whenever they like (due to all the memory unsafe C programs my system runs on the Internet)?
What if this hasn’t happened to me because I’m simply not an interesting target? I don’t own a lot of Bitcoin or sell guns or launder drug money on a Tor Location Hidden website.
Could it happen to me? Yes, I think that’s possible.
Has it happened? I’m not sure and I’m not sure how I would know if it has.
What should a reasonable person do? Don’t worry about it.
If you’re not a cyber criminal or don’t have a lot of crypto to steal, this will probably never happen to you… unless you’re a Linux kernel developer (got to get those backdoors into the git repository somehow).
I suppose I could run QubesOS and try to isolate some parts of my digital life. I could keep all of my passwords and secret keys in an offline qube and paste those into other qubes when needed. But that doesn’t work for all scenarios.
I need an online qube to do software development. This involves git commits. I PGP sign those and also use a SSH key for repository access. The dev qube obviously needs access to those secrets and it has to be online (at least sometimes) to push and pull from the remote repositories.
All of my keys are password protected, so if a cyber criminal gang obtained them, they’d have to crack those passwords in order to use the keys. But if they can access my computer and copy the secrets, then they can probably watch me type or paste in passwords and take those too.
Isolation seems helpful, but does not fully address the issue.
Update from the comments: Qubes offers Split GPG to further isolate PGP keys. Thanks for the tip qubelover!
What about hardware tokens? Maybe I could buy a YubiKey and put all of my secrets on that and use that key with Qubes? I may try that approach, but haven’t thought through the details. That seems like a solution that may fully address the issue, but I’m not certain.
Have others thought about this? How have you addressed it?
Please share your thoughts in the comments.