$ man journalctl
...
--setup-keys
Instead of showing journal contents, generate a new key pair for Forward Secure Sealing (FSS). This will generate a
sealing key and a verification key. The sealing key is stored in the journal data directory and shall remain on the
host. The verification key should be stored externally. Refer to the Seal= option in journald.conf(5) for
information on Forward Secure Sealing and for a link to a refereed scholarly paper detailing the cryptographic
theory it is based on.
...
--verify
Check the journal file for internal consistency. If the file has been generated with FSS enabled and the FSS
verification key has been specified with --verify-key=, authenticity of the journal file is verified.
--verify-key=
Specifies the FSS verification key to use for the --verify operation.
afaik,只有拥有私钥,才能登录PKI系统。
afaik建议:“验证密钥应存储在外部。” 私钥(?)应该存储在另一个地方吗?
问:在这种情况下,如何对加密的日志消息进行签名?
afaik如果未对加密的日志进行签名,则攻击者可以通过对修改后的日志进行加密来伪造日志,由于未签名,因此将被接受。但是,将私钥保留在那里也是不好的,因为攻击者可能会签名。