Use macOS Keychain? #8
Comments
|
@juanjonol regarding the Pros: I'm not sure about this, does it have to be used in a FileVault encrypted system? We're having a scenario where we are using OS X as a server without FileVault encryption for the boot volume, since you could not boot or reboot a server without entering a password (direct access). Therefore we have the Data on an external drive which is encrypted. If the password is stored on the (boot) disk in plain text, this could be easily exploited. |
|
Hi! It can be used without FileVault, but even in that case I still don't see any benefit from using the keychain: if the server can be started without a password, the keychain's password must be stored in plaintext on the boot disk, or you would have to manually unlock the keychain after each start. Am I missing something? Also, although the passwords are stored in plaintext, they can only be read by root. Without FileVault, an attacker with physical access could extract the disk from the server and read all the passwords from another computer (root permissions are ignored across OSs), but this attack would also allow the attacker to read the keychain (like I said, the keychain's password must be stored in plaintext too) and a lot of other things (installing a rootkit, for example). So I don't see how this more easily exploitable than the keychain. |
|
I guess that if someone needs:
Then there would be a good reason for using the keychain. But I cannot think of anyone with this requirements. |
|
No, the keychain password must not be stored in plaintext somewhere: https://github.com/jridgewell/Unlock#is-my-data-really-secure |
|
I have researched this, and I have found that the System Keychain's password is stored in So Unlock's README is not correct: the System Keychain is secure, but it isn't tied to it's computer. Also, I see using the Keychain even more pointless now: for some reason, I assumed that Unlock used the User Keychain, which is unlocked at boot with the user's password (unless you make the system bootable without a password, like in your case), but Unlock using the System Keychain means that all Unlock's passwords are essentially in plaintext (encrypted data with the key next to them is for all purposes the same as plaintext data), protected only by root permissions, just like Unlock-Redux's passwords. |
|
In my BootUnlock project here on GitHub, I am using the system keychain. The access to the system keychain is managed by the extended attributes and by default DiskUtil helper tool has access there (this is the tool that pop-ups prompts for unencrypting all the encrypted volumes on the system once you login), so what I did is I copied the |
|
Hi! I'm not sure what you're gaining from copying |
|
The script is using macOS keychain, but in order to decrypt the volumes in
an unattended mode the entries are made readable to the copy of the
security tool (the binary is self-signed on install). The reason why I
could not use the system version is that it is executable by everyone on
the system, hence it would mean that anybody could retrieve the credentials.
…On Wed., 9 Oct. 2019, 18:33 juanjonol, ***@***.***> wrote:
Hi! I'm not sure what you're gaining from copying security tool?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8?email_source=notifications&email_token=AB72A6UN2D6HNFNCXXEYO4DQNWCODA5CNFSM4EPWIEC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAW6CHY#issuecomment-539877663>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB72A6T6WT33W6275TCLYSLQNWCODANCNFSM4EPWIECQ>
.
|
Usually, using the Keychain is the right call. But with Unlock, I'm not convinced. Am I missing something?
What Unlock-Redux does
Unlock-Redux simply creates a JSON file and stores all the passwords (with other attributes) in it. This file is only readable and writable by root (something that is checked each time the file is used).
Pros of using the Keychain
Cons of using the Keychain
The text was updated successfully, but these errors were encountered: