I know that windows is using a kind of master key for encrypting private keys which are stored in the certificate store of the OS. Moreover I found out that the certificates and keys in linux are not always stored in the same location (as descripted in this post). Is there are any equal or additional security measure on linux systems for this various kind of directories? Or does the system rely on a custom passphrase set for each private key?
2 Answers
It's a bit hard to approach your question because it confuses several things.
The first issue to clear up is that "Windows vs Linux" distinction.
As you probably know, Linux is an operating system kernel. That is, it's a piece of low-level software which works with the computer's hardware and exposes a certain application programming interface (API)—in the form of the so-called "system calls"—to the programs which run on the kernel, as well as certain conventions such as process model etc—read up on this in other places, really. The major point of this is that Linux per se does not "know" anything about SSL/TLS, certificates—let alone certificate stores; these things get implemented on levels higher than the kernel.
The Linux kernel can be used to implement an operating system, and there are lots of them: Debian, Red Hat, Android—to name just a few.
Operating System (OS) is what implements SSL/TLS, certificates etc.
Now even then, for implementing this stuff, particular software packages are responsible. Sometimes, lots of them. To begin with, I, for one, know of several packages implementing SSL/TLS and certificate management. For instance OpenSSL is possibly the most widely used one. Mozilla's NSS is used by such high-profile products as the FireFox browser, Thunderbird mail client and Chrome browser. GNUTLS also enjoys considerable use, and there also PolarSSL, several recent OpenSSL forks and many other implementations.
To complicate matters even more, different OSes based on Linux may have the same software packages built in a way they use different libraries implementing SSL/TLS stuff.
Windows, on the other hand, is an operating system (running on the Windows NT kernel), and like Linux, its kernel does not implement neither SSL/TLS nor certificate management in itself. But contrary for Linux-based operating systems, Windows has its "official" (created by Microsoft as part of Windows) implementation of SSL/TLS known as "schannel" ("secure channel"), and a set of core supporting libraries and services implementing the OS-level certificate store you've referred to.
Now the more complex part. ;-)
Not all software packages written for Windows use its OS-provided means to deal with SSL/TLS and certificates. For instance, Windows builds of Firefox, Thunderbird and Chrome still use NSS library they bundle in their software packages to implement SSL/TLS and manage certificates. Many software originally written for non-Windows systems use OpenSSL or similar implementations even on Windows. In other words, if you import some certificate into the Windows store, it won't be "visible" to those software packages.
To round up, the state of managing certificates is not that uniform as you appear to assume—judging on your question: some pieces of software might use the system certificate store—whatever it can be; some others use whatever provided by the libraries they use, if any.
I know this does not answer your question, but I wanted to demonstrate that the question has little sense as stated due to the difficulties I outlined.
By the way, Android does have its own certificate store (protected by the shell-level PIN password).
- 1,100
- 1
- 7
- 13
-
Small correction. Windows builds of Chrome actually use the Windows certificate store. I believe only the Mozilla products don't (much to the annoyance of SysAdmins). – Ryan Bolger Jan 01 '16 at 17:35
-
@RyanBolger, oh, I was unaware of that. Thanks for the heads-up! – kostix Jan 01 '16 at 18:58
-
1@anamai, to answer your particular doubts, you can try using LUKS for full-disk encryption or encrypt [just the home directory](https://wiki.debian.org/TransparentEncryptionForHomeFolder) or a part of it. All-in-all, I'd say the level of protection of an individual password-protected key file is quite adequate, and most of the time you have more to protect than keys (say, against your laptop being stolen), and in this case the solutions above are the way to go. – kostix Jan 01 '16 at 19:12
There doesn't seem to be any other level of security than setting a 700 permission with root owner and adding a custom passphrase. However you can go a step forward and use selinux to make sure that only the owner (and not even root) can access specific private keys. Although doing so isn't that helpful if someone has physical access to your computer. The intruder might be able to alter boot options (with selinux=0
) to gain access to the necessary folder.
Now, your point of an extra sense of security in Windows doesn't seem quite valid because setting a custom passphrase means encrypting the private key in the key file. But if what you say is correct then, unlike Windows you don't have a Master password in the Linux realm. Now one way I can imagine to implement such a notion would be using encfs. Again it will not work if you need to access private keys when fuse mounts aren't available (like during system boot).
Edit: Correct the selinux part based on @Xyon's comment.
- 11
- 1
-
The root user can manipulate selinux attributes *if* in the correct user role / context. User switching methods generally leave the selinux user roles alone, so one must also have the selinux privileges required to move their user role towards the administrative one (on my system at least, sysadm_r). If your selinux policies are set correctly, even root will not be able to change the extended attributes from the user_r context. – Xyon Jan 01 '16 at 11:57
-
I'm not sure if I fully understand your answer (maybe a language barrier,... i'm not good in english). It is possible to set a custom passphrase in windows anyway, but it seems to me that the certificate store as a whole is protected again by the user password (used for login). I know that this is not a solution which will make you happy in every case. It will in fact not protect you in if you are already logged in. I just was not able to find information if there is any security measure like this in linux or not. – anamai Jan 01 '16 at 12:38
-
@Xyon Yeah you are correct about the selinux part. I have updated my answer accordingly. – Aditya Basu Jan 01 '16 at 14:09
-
-
@anamai You might be able to use `encfs` to achieve a similar solution. It works like a transparent encrypting layer at the file-sytem level.So for example, when you login you can mount a folder `~/.secure_data` to `~/keys`. Here `~/.secure_data` contains the encrypted data while `~/keys` contains contains data in clear-text. Any edits and new files get transparently encrypted. I think ubuntu also uses this when you enable home folder encryption during account setup. – Aditya Basu Jan 01 '16 at 14:14