ecryptfs-users team mailing list archive

Thread
Date

Re: hardware token

To: Fredrik Thulin <fredrik@xxxxxxxxxx>
From: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Date: Wed, 13 Apr 2011 11:41:15 -0500
Cc: ecryptfs-users <ecryptfs-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BANLkTi=Fkx97nSs=Co9BrrxEKdFZTVSGLA@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
> On Mon, Apr 11, 2011 at 1:15 AM, Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> wrote:
> > Cool, looking forward to it.  You might also push some test python code
> > which does the same steps for people to play with.
> 
> That's an excellent idea. I've added
> examples/rolling_challenge_response to python-yubico.
> 
> To try it out :
> 
>   $ git clone git://github.com/Yubico/python-yubico.git
>   $ cd python-yubico/
>   $ export PYTHONPATH="Lib"
>   $ ./examples/rolling_challenge_response --filename foo --verbose --init

Awesome, thanks, I'll try this out tonight.

...

> The demo is usable without a YubiKey too, but then you have to
> copy-paste the expected response manually (of course only shown on
> screen for demo purposes).

Well I don't know - for all my feigned bravado about not caring about
remote access to ecryptfs files, in fact I probably will want to do it
remotely.  In the end it'll probably get automated, but at first I
expect to just copy/paste challenge/response between ssh session and
host.

> > In fact, you seem to be focusing on people doing full home directory
> > encryption - and that's fine as I suspect that's the model we as a
> > whole are trying to push.  But please consider users like me, who
> > have $HOME unencrypted with several separate ecryptfs dirs spread
> > about.  (See the new options to mount.ecryptfs_private.c in
> > natty's ecryptfs-utils)
> 
> You're right. Thanks for reminding me. I'll check the new things in Natty out.
> 
> > So I guess, for my own use, I'd actually just want to stick with a
> > non-changing wrapping key, so that I can support 5 (for example)
> > different ecryptfs directories with different passphrases.  For
> > that case, I'd actually want to use your current model!  :)
> 
> You should be able to use rolling challenges for that model too, with
> one 'state file' per encrypted directory, right?

Yup, I see no reason why not.

thanks,
-serge

References

hardware token
From: Fredrik Thulin, 2011-03-15
Re: hardware token
From: Serge Hallyn, 2011-04-10
Re: hardware token
From: Fredrik Thulin, 2011-04-10
Re: hardware token
From: Serge Hallyn, 2011-04-10
Re: hardware token
From: Fredrik Thulin, 2011-04-13