ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00099
Re: hardware token
Quoting Dustin Kirkland (kirkland@xxxxxxxxxx):
> On Wed, Apr 13, 2011 at 4:18 AM, Fredrik Thulin <fredrik@xxxxxxxxxx> wrote:
> > I think I've asked before but do not remember if it was answered...
I don't remember you asking before, but
> > what do you think about a scheme where the user has (any combination
> > of) the file ~/.ecryptfs/wrapped-passphrase just like today,
> > ~/.ecryptfs/wrapped-passphrase.yubikey-123456 with the mount
> > passphrase protected using challenge-response involving YubiKey with
> > serial number 123456 (just as an index, to be able to have multiple)
> > and ~/.ecryptfs/wrapped-passphrase.pgp for a PGP encrypted version and
> > ...
> >
> > That would be a way to reduce the likelihood that a user
> > looses/corrupts their mount passphrase, while of course increasing the
> > risk of the user's mount passphrase being stolen (bad PGP passphrase
> > or something).
>
> Personally, I think I like this scheme. The code changes in
> ecryptfs-utils would be fairly localized, and safe, I think
Yup it's exactly what I was suggesting. I think this is the right
thing to do.
-serge
References