ecryptfs-users team mailing list archive

[Fredrik Thulin <fredrik@xxxxxxxxxx>]

On Mon, Mar 21, 2011 at 3:45 PM, Dustin Kirkland <kirkland@xxxxxxxxxx> wrote:
...
...
>>> * Is it a show stopper that you can't unlock your eCryptfs data
>>> remotely? Or is it perhaps a feature?
>>
>> Depends who you ask :)  For me it would be a feature.
>
> Yeah, I think this is the "feature" of your approach.  However, this
> is going to require very, very, very clear documentation and user
> culling.  Too many users get involved with eCryptfs already, who have
> no idea what's going on, and a few of them eventually lose their data
> because they don't record their generated mount passphrase, or
> something.

For sure. For the authentication part of the PAM module, I've added
the ability to have multiple tokens for one user (like a backup
Yubikey, or an administrator with another Yubikey).

Perhaps it's easier for users to present multiple authentication
devices (one USB disk, one Yubikey, one smartcard or any combination
of these) to effectively get backup access to their files, than it is
to get them to actually print the mount passphrase?

The mount passphrase would be stored one time for each authentication
device, encrypted with the PAM_AUTHTOK the authentication device is
capable of producing.

Have you had any thoughts along these lines?

...
> Hehe.  Thanks for the pointers, Fredrik.  Would you know how to do the
> debian packaging necessary to get your pam module installable from the
> Ubuntu archive?

I'm no pro-packager, but there is a PPA for pam_yubico available on my
Launchpad page. Consider it a start - any help welcome =).

  https://launchpad.net/~fredrikt/+archive/yubico-pam

/Fredrik