- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials
Thanks to these attacks I think creds got to all move to physical security keys so there’s nothing to (digitally) steal any more.This tool is a good idea for the short term.
I agree, for serious secrets you should have something physical involved.
I spent a bit of time exploring some mechanism to encrypt files on disk and require a yubikey press to decrypt them transparently for the process requesting access, but I didn’t really come up with a solution I liked. The idea there would be you’re prompted “/usr/bin/safe wants to access secret.key, but it is marked as sensitive, decrypt and allow?”. The notification part would be easy with
fanotifybut it wasn’t entirely clear to me the best way to perform the decryption. I think storing the secret on a FUSE file system could work? Things like https://github.com/rfjakob/gocryptfs come to mind