ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00100
Re: hardware token
Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
> On Mon, Apr 11, 2011 at 1:15 AM, Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> wrote:
> > Cool, looking forward to it. You might also push some test python code
> > which does the same steps for people to play with.
>
> That's an excellent idea. I've added
> examples/rolling_challenge_response to python-yubico.
>
> To try it out :
>
> $ git clone git://github.com/Yubico/python-yubico.git
> $ cd python-yubico/
> $ export PYTHONPATH="Lib"
> $ ./examples/rolling_challenge_response --filename foo --verbose --init
Awesome, thanks, I'll try this out tonight.
...
> The demo is usable without a YubiKey too, but then you have to
> copy-paste the expected response manually (of course only shown on
> screen for demo purposes).
Well I don't know - for all my feigned bravado about not caring about
remote access to ecryptfs files, in fact I probably will want to do it
remotely. In the end it'll probably get automated, but at first I
expect to just copy/paste challenge/response between ssh session and
host.
> > In fact, you seem to be focusing on people doing full home directory
> > encryption - and that's fine as I suspect that's the model we as a
> > whole are trying to push. But please consider users like me, who
> > have $HOME unencrypted with several separate ecryptfs dirs spread
> > about. (See the new options to mount.ecryptfs_private.c in
> > natty's ecryptfs-utils)
>
> You're right. Thanks for reminding me. I'll check the new things in Natty out.
>
> > So I guess, for my own use, I'd actually just want to stick with a
> > non-changing wrapping key, so that I can support 5 (for example)
> > different ecryptfs directories with different passphrases. For
> > that case, I'd actually want to use your current model! :)
>
> You should be able to use rolling challenges for that model too, with
> one 'state file' per encrypted directory, right?
Yup, I see no reason why not.
thanks,
-serge
References