ecryptfs-devel team mailing list archive

Thread
Date

Re: [PATCH] ecryptfs-utils: key escrow

To: "Michael Halcrow" <mhalcrow@xxxxxxxxxx>
From: "Dustin Kirkland" <kirkland@xxxxxxxxxxxxx>
Date: Wed, 29 Oct 2008 19:19:00 -0500
Cc: ecryptfs-devel@xxxxxxxxxxxxxxxxxxxxx, ecryptfs-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20081029165727.GA6645@halcrowt61p.austin.ibm.com>
Sender: dustin.kirkland@xxxxxxxxx

On Wed, Oct 29, 2008 at 11:57 AM, Michael Halcrow <mhalcrow@xxxxxxxxxx> wrote:
> This patch makes the minimal changes necessary to enable passphrase
> key escrow and key recovery via a SOAP client/server mechanism. This
> is currently at the proof-of-concept level of implementation; there is
> ample opportunity to add features. You need Python and SWIG installed
> to build the libecryptfs SWIG component. Run key-escrow-server, and
> then run escrow-passphrase.py [passphrase] to escrow the key and
> retrieve-passphrase.py [sig] to fetch the key from the server and put
> it in your keyring, all via localhost. There are all kinds of
> opportunities to make this useful and secure, such as stunnel for
> client-server communications, some kind of authentication mechanism,
> and the ability to specify the remote server and storage
> location. This patch just gives a convenient base from which to flesh
> out a real key escrow capability.

>From a packaging standpoint, I think it might make sense separate the
key escrow bits to a another binary package, as introducing python as
a dependency is mostly unrelated to the existing ecryptfs-utils tools.
 I'll see what I can come up with, and run it by the Debian packager.

:-Dustin