ecryptfs-users team mailing list archive

Thread
Date

Re: hardware token

To: Dustin Kirkland <kirkland@xxxxxxxxxx>
From: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Date: Wed, 13 Apr 2011 11:36:21 -0500
Cc: ecryptfs-users <ecryptfs-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BANLkTi=ANuAeJaWTxYaB=j+-ZMZyYoJmPw@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

Quoting Dustin Kirkland (kirkland@xxxxxxxxxx):
> On Wed, Apr 13, 2011 at 4:18 AM, Fredrik Thulin <fredrik@xxxxxxxxxx> wrote:
> > I think I've asked before but do not remember if it was answered...

I don't remember you asking before, but

> > what do you think about a scheme where the user has (any combination
> > of) the file ~/.ecryptfs/wrapped-passphrase just like today,
> > ~/.ecryptfs/wrapped-passphrase.yubikey-123456 with the mount
> > passphrase protected using challenge-response involving YubiKey with
> > serial number 123456 (just as an index, to be able to have multiple)
> > and ~/.ecryptfs/wrapped-passphrase.pgp for a PGP encrypted version and
> > ...
> >
> > That would be a way to reduce the likelihood that a user
> > looses/corrupts their mount passphrase, while of course increasing the
> > risk of the user's mount passphrase being stolen (bad PGP passphrase
> > or something).
> 
> Personally, I think I like this scheme.  The code changes in
> ecryptfs-utils would be fairly localized, and safe, I think

Yup it's exactly what I was suggesting.  I think this is the right
thing to do.

-serge

References

hardware token
From: Fredrik Thulin, 2011-03-15
Re: hardware token
From: Serge Hallyn, 2011-04-10
Re: hardware token
From: Fredrik Thulin, 2011-04-10
Re: hardware token
From: Serge Hallyn, 2011-04-10
Re: hardware token
From: Fredrik Thulin, 2011-04-13
Re: hardware token
From: Dustin Kirkland, 2011-04-13