ecryptfs-users team mailing list archive

[Dustin Kirkland <kirkland@xxxxxxxxxxxxx>]

On Thu, Feb 25, 2010 at 10:22 PM, Li, Yan I <yan.i.li@xxxxxxxxx> wrote:
> On Fri, Feb 26, 2010 at 11:43:27AM +0800, Dustin Kirkland wrote:
>> You mean, with either one of two keys being valid?  Or requiring two
>> sequential keys to be entered?
>
> Either one.
>
>> Given your Moblin association, I'm guessing you're looking for
>> something like a wrapped-passphrase that can be unlocked using either
>> a standard login password or a 4-digit PIN or something?
>
> Yeah, right. Should be something like that.
>
>> If so, I think the way forward would be to support a list of
>> wrapped-passphrase* files, where the relevant ecryptfs tools gather a
>> list of wrapper-passphrase*, and sequentially try to unwrap each until
>> a success happens.
>
> Exactly. Does such an infrastructure exist? Or maybe I can start to
> write one.

No, none exists yet.  Let's discuss it a bit more, make sure we agree
on a design.  I'd also like to get Tyler's opinion on it.

The functions that deal with the wrapped-passphrase file are
relatively few.  We could support a glob-type interface reasonably
easily.  I'm just not sure of the security of doing so.  I guess we'd
need to know a little more about the use case, if possible.

> BTW, does this has anything to do with PKCS#11 support?

Hmm, not that I know of.  It's more of a token interface.  Like a
fingerprint reader that produces an authentication token.

:-Dustin