On Tue, Jun 10, 2008 at 10:27:04AM +0200, Dietmar Lippold wrote: > Michael Halcrow wrote: > > On Thu, Jun 05, 2008 at 12:45:55PM +0200, Dietmar Lippold wrote: > > > Why is the file /tmp/test/Test readable although root gave the wrong > > > passphrase? > > > > If you run ``keyctl show'', you will see that the key you used in the > > previous mount is still available in your keyring. eCryptfs is using > > that key to access the file. > > Would it be reasonable that eCryptfs would not ask (double) for a > passphrase if a legitimate key is in the keyring (so that eCryptfs > will not use the enquired passphrase even it is wrong)?
Since keys are checked against the sig-cache.txt file anyway, I figured that asking for the passphrase twice is generally a waste of time. I checked in a change to the GIT tree to fix that last week; the next release of ecryptfs-utils will only prompt for the passphrase once, relying on the cache to sanity check the passphrase. > Would it be possible to revoke the key for a eCryptfs directory when > the directory is unmounted? If yes, would it be reasonable that > eCryptfs would have a configuration option for that? Yes and yes. The kernel code should be able to revoke keys referenced by sigs in the mount_crypt_stat struct on umount. > Would it be reasonable that there would be a configuration option to > set a general lifetime for a key which is created from a passphrase > given to eCryptfs? The kernel keyring does have a key expiration feature: http://lwn.net/Articles/210502/ eCryptfs could make use of that to have keys expire after a set period of time. I am not planning on doing any of this anytime soon, but if someone out there wants to send me patches, I will be happy to review and merge. Mike
pgplXZhbhjCVR.pgp
Description: PGP signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ eCryptfs-users mailing list eCryptfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
