-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 08/21/2016 06:35 PM, Tom van der Woerdt wrote:
Side-note wrt your setup :
You're storing the keys on the disk, and while they're removed immediately after, that potentially leaves them on the physical storage. Since you're already passing them through ssh, consider just having ssh do the stdin bit :
cat ~/.cryptoPass | ssh user@host "sudo -u tor e4crypt add_key -S $(cat ~/.cryptoSalt) /var/lib/tor"
The salt will end up in the sudo log (/var/log/secure, usually) but the password will never hit the disk. No scp needed, and no files to rm afterwards.
Tom
Thx for your hints - I'll test your advice soon.
FWIW I do have Defaults !syslog,!pam_session in /etc/sudoers, therefore sudo commands shouldn't be logged I hope. And I do have /tmp as a tmpfs. And finally "tor" is just a technical user w/o login or so.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7