On Sat, 9 Apr 2016 20:18:11 -0400
Matt Schwartz <matt.schwart...@gmail.com> wrote:

> I really like the bioctl full disk encryption feature. I would love
> to see it extended to support multiple users/passkeys. I once worked
> with a commercial full disk encryption product that allowed this ...

You could store keying material on those iStorage datAshur sticks; they
support a user and admin key. Just have one for each user.

Alternatively, you could just store the keying material on the same
disk, but on encrypted softraid partitions, each encrypted with its own
key. Assuming there is already one softraid partition 'a' on the disk,
you have support for 14 different users: an admin with the primary key
material stored on his own USB drive, and 'd', 'e', 'f', 'g', 'h', 'i',
'j', 'k', 'l', 'm', 'n', 'o', and 'p' to encrypt with softraid, storing
another RAID chunk which stores the key material. And you may even be
able to use 'b' but as I understand, this is reserved for swap space.

Not ideal, but "extended to support multiple users/passkeys" seems
incredibly complex. Perhaps an example scenario for such usage would
help.

As someone else pointed out, access to the encrypted partition
basically requires root access to the system anyway.

> and could even be managed over a network.

So basically, an exploit waiting to happen. 

> Coming up with a solution to manage encryption keys over a network is
> trivial ...

Well go on then. Where's the code?

> but I'd love to see the full disk encryption extended to support
> multiple users with individual passkeys.

Right. Any ideas on how to implement this?

Reply via email to