Re: [RFC 0/2] Encrypt secrets using systemd provided key

[Diederik de Haas <didi.debian at cknow.org>]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

Hi James,

On vrijdag 21 januari 2022 23:30:44 CET James Prestwood wrote:
> > I did/do wonder why my passphrase is stored in plain-text and not in
> > a form which I can get through the wpa_passphrase* utility (I don't know
> > the proper term for it though). Maybe that's what others have been
> > interested in too?
> 
> I was unfamiliar with wpa_passphrase until now, but all that appears to
> be doing is deriving a PSK from the SSID/passphrase, not 'encrypted' by
> any means. In IWD this is "PreSharedKey" in the profile. Ultimately
> (for WPA2) you only need the PSK to connect to a network so storing the
> PSK directly is just as insecure as the passphrase.

I followed https://wiki.debian.org/WiFi/HowToUse#WPA-PSK_and_WPA2-PSK and then 
removed the commented out line (thus the plain-text passphrase)
I _think_ it was way more prominent and recommended on that page when I first 
read it, quite some years ago.

I knew it wasn't (actually) encrypted, but assumed it to be a (one-way) hash.
I know you can connect to the (WPA2) network with just the PSK, so it won't 
prevent connecting to it, if that value is known.
If I wanted to allow a friend access to the same wireless network, I could 
give the PSK, without revealing my actual passphrase, which _feels_ more 
secure. (Which may be a false sense of security, which is actually worse)

> What I am proposing actually encrypts the passphrase/PSK using a secret
> key, only known to the IWD systemd service.

My reasoning was that if the request/interest came from people equally 
'clueless' as I am, then not seeing the plain-text passphrase, but only the 
'hash'/PSK, is what they were actually asking.

If it was from knowledgeable people, then yes, actual encryption is very 
likely what they were after.

HTH,
  Diederik

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]