On Tue, 2008-11-11 at 01:15 +0900, Osamu Aoki wrote: > Unless you wish to use PAM, I see no advantage to use login passphrase > to wrap encryption keys. I think that really beat the purpose of this > kernel module in terms of security of data after PC is stolen.
I disagree that it defeats the purpose, but I'm happy to support alternative use cases. > This can be made more robust by using independent passphrase to wrap > key. > > I attach patch here. It works as: > > $ ecryptfs-setup-private --wrapping > > will use independent passphrase to wrap encryption keys. It asks > passphrase twice to be sure and reminds you to record it. > > $ ecryptfs-mount-private > > will mount it while asking passphrase. > > (If you use this to set up, PAM thing should not work.) > > Use ecryptfs-rewrap-passphrase when you wish to change wrapping > passphrase. > > For now, this is good for me and I am happy having making followings for > desktop: > > $ mkdir -p ~/Private/Desktop > $ ln -sf ../Private/Desktop ~/Desktop/Private > > It may be good idea to add nice conditional zenity dialogue in > ecryptfs-mount-private to prompt passphrase in GUI. zenity is gtk > dialogue. Thanks for the patch. I'm making a few changes, and testing it. I'll post back here with the git log. :-Dustin
signature.asc
Description: This is a digitally signed message part
