Hi!
On 01-Apr-2002 Jari Ruusu wrote:
> This can be done in user space using GnuPG. A long and random session
> key is encrypted using each users public key. Users just need to type
> their personal GnuPG key to unlock the session key that is then piped
> to "losetup -p 0".
Yes, I already do this, but there are some problems:
1. The session key traverses userspace, and thus, can be captured more
easily. And once someone knows the session key, he cannot be locked
out. Though this is only needed in very rare cases and setups.
2. It's not really solid, I mean, it needs a "second" (etc.) file.
If you encrypt a partition, you need to have the "second" file on a
separate partition. Although you could use the "offset=" switch and
embed the data into the beginning of the partition.
3. It needs some scripting, hacking, external programs (like GPG)
-- which is fine, if you're a programmer, but might be too much for
"Average Joe"
I was also thinking of implementing this in user-space, only then you'd
lose the ability to really "revoke" users' access to the encrypted space.
But then again, maybe a kernel level thing won't make this that harder.
The top two scenarios I'd need session keys for is:
1. if I'd have to change the password of the encrypted partition
2. if there needs to be a very secretly kept "rescue" password for the
partition (think companies, or even, cautious individuals)
But, thinking of it, maybe an userspace tool would be totally
appropriate.
| Noll Janos <johnzero@johnzero.hu> | http://www.johnzero.hu |
| "Expect the unexpected!" | ICQ# 4547866 | Be free! |
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
