-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 wof wrote: > On Wednesday 16 July 2008 23:42:13 Thomas Cameron (Red Hat) wrote: >> All - >> >> I have been asked if there is a way to incorporate Microsoft's PKI with >> dm-crypt. The story here is that with Microsoft's disk encryption, you >> can decrypt a directory using an organization key. An example is when >> an employee leaves and does not tell anyone what his/her passphrase was. >> > I'm not sure if I get your question. There is no native support from > Microsoft's PKI to dmcrypt and the other way. I probably did not phrase it well, sorry. > If you need a backup key for your disk encryption, you can backup the key. > This is merely an organisational process. That I understand, but the customer is asking about doing something like what Microsoft does when the key is lost, that an admin can still access the encrypted information. > dm-crypt is a device encryption, EFS is based on files and directories. This > is a different. If you would like to have features like EFS in Linux mayby > eCryptfs (http://ecryptfs.sourceforge.net/) is the right thing for you. > dm-crypt doesn't support x509, but you can use the certificates to encrypt > the used key. > > > >> I know with LUKS it's easy to set up multiple passwords. But is there a >> way to use an x509 certificate to set up access? > > Not direct, but you can use e.g. openssl to encrypt/decrypt a key with a x509 > certificate and use this key for luks or native dm-crpyt. > > wof I think the short answer here is that we don't really want to mingle the Microsoft PKI stuff with LUKS keys. The solution is simply to set up the customer's workstations with encrypted slices with a user key and something like a helpdesk key. No need to get PKI involved. Thanks for your response. - -- Thomas Cameron, RHCE, RHCX, CNE, MCSE, MCT Solutions Architect Team Lead, Central Region 512-241-0774 office / 512-585-5631 cell / 512-857-1345 fax -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFIfn+lmzle50YHwaARAtifAJ9MKDc/QnUxr8YtwwSv/CfhHE/mdACgvysB CxryaWSht7jCNDsrqhoWams= =8gTv -----END PGP SIGNATURE----- --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
