ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00037
Re: Wrapping mount key file by using two or more keys?
On Thu, Feb 25, 2010 at 10:22 PM, Li, Yan I <yan.i.li@xxxxxxxxx> wrote:
> On Fri, Feb 26, 2010 at 11:43:27AM +0800, Dustin Kirkland wrote:
>> You mean, with either one of two keys being valid? Or requiring two
>> sequential keys to be entered?
>
> Either one.
>
>> Given your Moblin association, I'm guessing you're looking for
>> something like a wrapped-passphrase that can be unlocked using either
>> a standard login password or a 4-digit PIN or something?
>
> Yeah, right. Should be something like that.
>
>> If so, I think the way forward would be to support a list of
>> wrapped-passphrase* files, where the relevant ecryptfs tools gather a
>> list of wrapper-passphrase*, and sequentially try to unwrap each until
>> a success happens.
>
> Exactly. Does such an infrastructure exist? Or maybe I can start to
> write one.
No, none exists yet. Let's discuss it a bit more, make sure we agree
on a design. I'd also like to get Tyler's opinion on it.
The functions that deal with the wrapped-passphrase file are
relatively few. We could support a glob-type interface reasonably
easily. I'm just not sure of the security of doing so. I guess we'd
need to know a little more about the use case, if possible.
> BTW, does this has anything to do with PKCS#11 support?
Hmm, not that I know of. It's more of a token interface. Like a
fingerprint reader that produces an authentication token.
:-Dustin
Follow ups
References