On Wed, Jul 16, 2008 at 06:09:26PM -0500, Thomas Cameron (Red Hat) wrote: > wof wrote: > > On Wednesday 16 July 2008 23:42:13 Thomas Cameron (Red Hat) wrote: > >> All - > >> > >> I have been asked if there is a way to incorporate Microsoft's PKI with > >> dm-crypt. The story here is that with Microsoft's disk encryption, you > >> can decrypt a directory using an organization key. An example is when > >> an employee leaves and does not tell anyone what his/her passphrase was. > >> > > I'm not sure if I get your question. There is no native support from > > Microsoft's PKI to dmcrypt and the other way. > > I probably did not phrase it well, sorry. > > > If you need a backup key for your disk encryption, you can backup the key. > > This is merely an organisational process. > > That I understand, but the customer is asking about doing something like > what Microsoft does when the key is lost, that an admin can still access > the encrypted information. The only way to do that is with LUKS and setting more than one key. You can then call one of them the "organizational" key and store it separately. With dm-cryot there is only one key and this approach is not possible. > > dm-crypt is a device encryption, EFS is based on files and directories. This > > is a different. If you would like to have features like EFS in Linux mayby > > eCryptfs (http://ecryptfs.sourceforge.net/) is the right thing for you. > > dm-crypt doesn't support x509, but you can use the certificates to encrypt > > the used key. > > > > > > > >> I know with LUKS it's easy to set up multiple passwords. But is there a > >> way to use an x509 certificate to set up access? > > > > Not direct, but you can use e.g. openssl to encrypt/decrypt a key with a x509 > > certificate and use this key for luks or native dm-crpyt. > > > > wof > > I think the short answer here is that we don't really want to mingle the > Microsoft PKI stuff with LUKS keys. The solution is simply to set up > the customer's workstations with encrypted slices with a user key and > something like a helpdesk key. No need to get PKI involved. Indeed. Arno -- Arno Wagner, Dipl. Inform., CISSP --- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx