Attacking Full Disk Encryption 2
As usual, security and convenience ride a fulcrum. As things are easier to use, security usually suffers. That applies to full disk encryption too.
What?
I was reviewing a B-sides talk by Tom Kopchak on defeating full-disk encryption. Tom was able to gain administrative access to a Windows laptop with full-disk encryption enabled. We aren’t always safe.
Making KeePassX work with Pinentry and Enigmail 3
KeePassX is my password manager of choice.
Enigmail is the GnuPG signature and encryption add-on for Thunderbird.
Pinentry is used by Enigmail to enable secure entry of PINs, passwords and pass phrases. It blocks copy/paste and forces all keyboard entry into the pinentry textfield. That’s great if you have trivial or easily typed pass phrases. I do not.
These are all fantastic, until you depend on KeePassX to hold non-trivial pass phrases to gain access to your certificates. Since pinentry doesn’t allow copy/paste, there is a major issue. If your passphrase is non-trivial and long, then manually entering them whenever you need to read or send a sensitive email is beyond a hassle. It sucks. pinentry also grabs both the keyboard and copy/paste events, so you are probably unable to alt-tab to the window you really need. Anything typed on the system gets placed into the pinentry text field. How rude.
Workaround
There is a workaround – it is a hassle, but better than trying to type 50 characters of assorted keys.
Use the Perform Autotype option by mousing for your specific KeePassX entry. Doing this means that the Userid needs to be empty and you need to already have KeePassX unlocked before you begin any encryption work. Using the mouse to cause the paste/autotype works.
You’ll probably want to setup gpg-agent to hold your keys for a while too. Anything to avoid going through this crap to retype pass phrases for certificate access.
I’m running Enigmail v1.1.2, Pinentry-gtk2 v0.7.6 and Thunderbird v3.1.8.
