From: James Prestwood <prestwoj at gmail.com>
To: iwd at lists.01.org
Subject: Re: [RFC 0/2] Encrypt secrets using systemd provided key
Date: Fri, 21 Jan 2022 14:30:44 -0800 [thread overview]
Message-ID: <ee74931c2e0f54601f0b83e802e8969731405329.camel@gmail.com> (raw)
In-Reply-To: 1669386.7lEct51Sfr@prancing-pony
[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]
Hi Diederik,
On Fri, 2022-01-21 at 23:22 +0100, Diederik de Haas wrote:
> On vrijdag 21 januari 2022 01:41:28 CET James Prestwood wrote:
> > There has been interest in enabling IWD users to store their
> > network
> > credentials in some encrypted form.
>
> I did/do wonder why my passphrase is stored in plain-text and not in
> a form
> which I can get through the wpa_passphrase* utility (I don't know the
> proper
> term for it though). Maybe that's what others have been interested in
> too?
I was unfamiliar with wpa_passphrase until now, but all that appears to
be doing is deriving a PSK from the SSID/passphrase, not 'encrypted' by
any means. In IWD this is "PreSharedKey" in the profile. Ultimately
(for WPA2) you only need the PSK to connect to a network so storing the
PSK directly is just as insecure as the passphrase.
What I am proposing actually encrypts the passphrase/PSK using a secret
key, only known to the IWD systemd service.
>
> That appears to be a far simpler solution and also wouldn't have the
> 'transportation' issue Marcel indicated (IIUC).
>
> Regards,
> Diederik
>
> *) having such a utility as part of iwd seems beneficial, otherwise
> I'd still
> need to install wpasupplicant package (on Debian) to have such a
> utility.
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org
next reply other threads:[~2022-01-21 22:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-21 22:30 James Prestwood [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-01-21 23:46 [RFC 0/2] Encrypt secrets using systemd provided key Diederik de Haas
2022-01-21 22:42 Diederik de Haas
2022-01-21 22:36 Marcel Holtmann
2022-01-21 22:22 Diederik de Haas
2022-01-21 20:54 Marcel Holtmann
2022-01-21 20:49 James Prestwood
2022-01-21 20:35 Marcel Holtmann
2022-01-21 20:19 James Prestwood
2022-01-21 15:20 Marcel Holtmann
2022-01-21 0:41 James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee74931c2e0f54601f0b83e802e8969731405329.camel@gmail.com \
--to=unknown@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.