| Rich Freeman on 10 Feb 2018 13:32:00 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] encrypting files with expiration |
On Sat, Feb 10, 2018 at 4:14 PM, brent timothy saner <brent.saner@gmail.com> wrote: > On 02/10/2018 03:45 PM, Rich Freeman wrote: > >> I don't think view-once was actually part of the requirements, but >> again using the trusted viewer software this might be achievable. > > per OP: > > "... i would like to store the documents so you can't copy and paste -- > *just view once* unlocked. ..." (emphasis added) Or you could read it as just view *once unlocked*. That is you can view it as many times as you want to, but only after you've unlocked it each time. I'll leave it up to OP to clarify. > further, a TPM cannot ensure the unlocked version of this (assuming one > did implement an encryption policy for said data using something > hardware-locked like TPM) is not copied elsewhere- not only by email, > but by other methods. The TPM ensures that the viewer used to display the file is the one that was enrolled with the TPM. You would only enroll a viewer that is capable of display the file without being able to copy it anywhere/etc. Creating a PDF viewer that has no save/copy/email functionality would not be very difficult, and you'd need to ensure that whatever mechanism is used to display the image on the screen is not interceptable. Of course none of this stops you from taking a photo of the screen. :) Ultimately the entity responsible for ensuring that stuff isn't copied isn't the TPM or the software, but the person engineering the solution. The TPM is just part of the solution. However, preventing the person at the keyboard from doing things undesirable to the hardware owner is actually the main reason TPMs were invented. (Obviously with the whole Treacherous Computing thing the "hardware owner" is a touchy matter...) > in order to implement half of what you proposed, you're talking about a > significant rewrite of certain parts of the kernel - not to mention all > the other supporting userland code. I'm not sure that much would actually have to be done to the kernel. Surely protecting a process from other processes is something SELinux must support? There might need to be some additions to the kernel - I wouldn't be surprised if Linus would accept them into mainline if they were done in a general manner, as he already has accepted much of the necessary TPM support. Userland is the main area where support for this stuff is missing. You'd want an OS that generally supports signature verification top-down, relying on the TPM module/etc. That is something I believe RedHat has already expressed some interest in though I don't think they're there yet. My main point is that this is possible, not that it was something the OP was likely to actually undertake. > and, as acknowledged, still does not address other key parts of the > original requirements. Which parts? Even if view-once was a requirement I did provide a solution for it. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug