|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: disk encryption on login
From: dreamwvr (dreamwvr
dreamwvr.com)
Date: Thu Dec 01 2005 - 12:50:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>I thought about a way of de-/encrypting home-directories transparently to
>users. I've got a vague idea how to realize this in a reasonable way:
>
>* Generate a key, associate it with a new svnd-image, prepare the image
>* Encrypt the key with the users login password, store it in /home
>* On login, decrypt the key with the password
>* Pass the decrypted key to vnconfig and mount the image on $HOME
>This has some consequences, like
>- creating a new login facility login_decrypt (or sth. similar)
>- writing a program for keyfile/image generation and password changing
>- modify vnconfig to read keys from other sources than stdin
>
>Since I already got some code, it might be smart to ask now for some
>feedback before heading into a completely wrong direction.
>There are probably better ways to accomplish this, so generally opinions
>regarding the issue would be cool.
>
>All the best,
>/Markus
Markus,
If the key used to decrypt some $USER is their password. It might be
useful to centralize via the master.passwd db. No extra file
needed in the $USER $HOME. eg: .hushlogin like scenario.
Then we add a switch in 'passwd' switches to enable this feature
something like -K is used with kerberos. Say --encrhome whatever..
So it uses say getpwent() to get pwd for comparison. Then
if there is a exact_match we decrypt the user's $HOME image.
otherwise it does not bother doing anything like that..
(I might be missing something as well since it was a late night..)
Since if they know the password they are in anyhow.
It would definately be a nice to have ability.
Best Regards,
dreamwvrdreamwvr.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]