[Enigmail] Enignmail begginner
Robert J. Hansen
rjh at sixdemonbag.org
Sat Dec 27 11:09:30 PST 2008
LeRoy wrote:
> Another item that is important is how you sign someone's key. Do you
> make sure that the key that you are signing is who they say they
> are? Did you verify the fingerprint of the key that you are signing?
This is usually what we mean by "knowing the person," "trusting the
person" and "validating their key," yes.
> Also you should set up your enigmail system so that it will not
> remember the passphrase for any amount of time and that you should
> not have checked Never ask for any passphrase. This is especially
> important in an office environment.
This will depend on your office environment. I know one Federal judge
who has a system in his office for which the GnuPG passphrases are
cached. As he puts it, "if the attacker can get past an armed U.S.
Marshal or an air gap, then I figure he's won fair and square."
I personally use a 720-minute GnuPG timeout. But then again, I work in
a strange office environment -- when I leave my desk I'm required to
blank the screen. If they have my login password, well, that's a game
over condition anyway: not caching the GnuPG passphrase doesn't gain me
anything.
> Also if you are using a laptop, you should encrypt /home /tmp and
> swap partitions if you are running Linux.
Encrypting swap often brings enormous performance penalties, upwards of
30%. Unless you're concerned about the forensic units of national
intelligence agencies, this is way more hammer than your problem needs;
and against those guys, it won't do any good, because they'll come at
you from creative angles to bypass it altogether.
Encrypting /home, yes, that makes sense; /tmp and swap, usually not.
More information about the Enigmail
mailing list