Subject: Re: easiest way to encrypt a file?
To: Lubomir Sedlacik <salo@Xtrmntr.org>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 12/18/2004 08:46:11
In message <20041218133430.GA26747@Xtrmntr.org>, Lubomir Sedlacik writes:
>
>from what he said it seems that his aim is to protect the key from the
>server administrator(s) and the key is a SSH2 DSA key. in that case the
>"protected" key is already encypted as you mentioned. but there is no
>way he could protect its contents by any amount of encrypted layers
>since an altered ssh(1) binary would "take care" of everything and it's
>just a waste of time and addition of pointless complexity.
>
I'll let Jeremy speak for his actual usage model, but I think you're
right -- I read "server" as "web server", i.e., some place he wanted to
store the key for retrieval later. You're absolutely right that
there's no safe way to use a private key on an untrustworthy machine.
--Steve Bellovin, http://www.research.att.com/~smb