diff options
| author |  guilhem <guilhem@fripost.org> | 2013-08-28 04:24:14 +0200 |
|---|---|---|
| committer |  Joey Hess <joey@kitenet.net> | 2013-08-29 14:31:33 -0400 |
| commit | d9fcbfa495a981ce0afc0d66560bd90eff8559bf (patch) | |
| tree | fe2acb468ac8e2c70726a0153bb52b4044c9ec68 /doc/design/encryption.mdwn | |
| parent | c0a39909829a131e4216b2f6021430fcbdad30b4 (diff) | |
Allow revocation of OpenPGP keys.
/!\ It is to be noted that revoking a key does NOT necessarily prevent
the owner of its private part from accessing data on the remote /!\
The only sound use of `keyid-=` is probably to replace a (sub-)key by
another, where the private part of both is owned by the same
person/entity:
git annex enableremote myremote keyid-=2512E3C7 keyid+=788A3F4C
Reference: http://git-annex.branchable.com/bugs/Using_a_revoked_GPG_key/
* Other change introduced by this patch:
New keys now need to be added with option `keyid+=`, and the scheme
specified (upon initremote only) with `encryption=`. The motivation for
this change is to open for new schemes, e.g., strict asymmetric
encryption.
git annex initremote myremote encryption=hybrid keyid=2512E3C7
git annex enableremote myremote keyid+=788A3F4C
Diffstat (limited to 'doc/design/encryption.mdwn')
| -rw-r--r-- | doc/design/encryption.mdwn | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/doc/design/encryption.mdwn b/doc/design/encryption.mdwn index 6a380abe1..377de476e 100644 --- a/doc/design/encryption.mdwn +++ b/doc/design/encryption.mdwn @@ -103,14 +103,16 @@ use the special remote. ## risks -A risk of this scheme is that, once the symmetric cipher has been obtained, it -allows full access to all the encrypted content. This scheme does not allow -revoking a given gpg key access to the cipher, since anyone with such a key -could have already decrypted the cipher and stored a copy. +A risk of this scheme is that, once the symmetric cipher has been +obtained, it allows full access to all the encrypted content. Indeed +anyone owning a key that used to be granted access could already have +decrypted the cipher and stored a copy. While it is in possible to +revoke a key with `keyid-=`, it is designed for a +[[completely_different_purpose|encryption]]. If git-annex stores the decrypted symmetric cipher in memory, then there is a risk that it could be intercepted from there by an attacker. Gpg -amelorates these type of risks by using locked memory. For git-annex, note +ameliorates these type of risks by using locked memory. For git-annex, note that an attacker with local machine access can tell at least all the filenames and metadata of files stored in the encrypted remote anyway, and can access whatever content is stored locally. |