On Tue, Jan 19, 2016 at 12:22 AM, <waben...@gmail.com> wrote: > > I'm an absolute windows noop. I only use it for graphics work. I even > didn't know that such a kind of file sharing is possible with it. :-) >
No worries - I think that is a great place to be. However, it is useful to understand what ideas are out there, since some of them are actually good ones. The foundation of these kinds of features in windows is that their user IDs are essentially GUIDs (a combination of an authentication server and a unique ID I believe): https://en.wikipedia.org/wiki/Security_Identifier This is in contrast to a linux UID, which is just a small number. You might be UID 0 on your box, and I'm UID on mine. The UID of the administrator account of every windows box out there is unique. That avoids all kinds of issues, like the whole nfs root-is-nobody design. You can "chown" a windows file to a UID which isn't native to the machine - the machine would authenticate anybody trying to read it against the machine that assigned the UID. It isn't perfect, but it seems like a better foundation for this sort of thing. > > That's right. I think that the effort and the outlay to implement all > these features into Linux is relative high. It seems that no vendor > is willing to assume such a financial risk. > > Maybe it is time for another crowd founding campaign? ;-) > Well, changing how user IDs would be a big task (as far as I'm aware). However, the bit about Bitlocker isn't actually. You just need to use trusted grub, some vanilla kernel config options, and probably some logic in the initramfs and userspace. There is already a linux solution for TPM at every layer of the boot chain, which allows a userspace program in an initramfs to store an encryption key in the TPM and retrieve it only if the boot chain isn't tampered with. You just need to put together the pieces. I could probably hack something together in a few days. The trick is getting it to survive things like kernel updates and for it to be robust. You need to ensure that anything that legitimately changes your boot chain updates all the settings in the TPM so that on the next boot the keys are still delivered. Otherwise your drive becomes unreadable, and difficult to recover (well, unless you escrow the encryption keys somewhere, which you certainly can do). -- Rich
