From mboxrd@z Thu Jan 1 00:00:00 1970 From: jim@gonzul.net (Jim Cheetham) Date: Fri, 28 Aug 2009 21:28:28 +1200 Subject: [sup-talk] Encrypted password in configuration file In-Reply-To: <20090828082349.61bfc91b@ronin.larsko.net> References: <20090824215435.182e0007@ronin.larsko.net> <20090828082349.61bfc91b@ronin.larsko.net> Message-ID: On Fri, Aug 28, 2009 at 7:23 PM, Lars Kotthoff wrote: >> It's possible, but slightly pointless. > > Not if the user supplies the passphrase, e.g. it could be encrypted with the > user's GPG key and ask for the passphrase at startup. Why not just ask for the IMAP password itself? There's no functional difference between that secret, and the secret that unlocks the secret ... indeed, if sup were to accidentally expose the passphrase you provided, would you rather lose your GPG key or your IMAP key? If you are really determined to allow others to read your private files, why not just encrypt the whole .sup directory with a separate tool (TrueCrypt, loopback, rot13, encfs, ecryptfs, or whatever else your distribution provides). That way, you are also protecting the ferret index collection, and the default sent box, which all contain data of the same level of sensitivity as your mailbox. Given your concern, I assume that you will be remembering to terminate sup and dismount the .sup directory every time you walk away from the keyboard. (Many schemes these days encrypt the whole of $HOME, which makes the whole screensaver/away from the keyboard thing even more difficult). Security must be appropriate to be actual security. Otherwise it's just an expensive fa?ade. -jim