On Mon, Mar 21, 2011 at 3:45 PM, Dustin Kirkland <[email protected]> wrote: ... ... >>> * Is it a show stopper that you can't unlock your eCryptfs data >>> remotely? Or is it perhaps a feature? >> >> Depends who you ask :) For me it would be a feature. > > Yeah, I think this is the "feature" of your approach. However, this > is going to require very, very, very clear documentation and user > culling. Too many users get involved with eCryptfs already, who have > no idea what's going on, and a few of them eventually lose their data > because they don't record their generated mount passphrase, or > something.
For sure. For the authentication part of the PAM module, I've added the ability to have multiple tokens for one user (like a backup Yubikey, or an administrator with another Yubikey). Perhaps it's easier for users to present multiple authentication devices (one USB disk, one Yubikey, one smartcard or any combination of these) to effectively get backup access to their files, than it is to get them to actually print the mount passphrase? The mount passphrase would be stored one time for each authentication device, encrypted with the PAM_AUTHTOK the authentication device is capable of producing. Have you had any thoughts along these lines? ... > Hehe. Thanks for the pointers, Fredrik. Would you know how to do the > debian packaging necessary to get your pam module installable from the > Ubuntu archive? I'm no pro-packager, but there is a PPA for pam_yubico available on my Launchpad page. Consider it a start - any help welcome =). https://launchpad.net/~fredrikt/+archive/yubico-pam /Fredrik _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
