On Sat, 9 Apr 2016 20:18:11 -0400 Matt Schwartz <matt.schwart...@gmail.com> wrote:
> I really like the bioctl full disk encryption feature. I would love > to see it extended to support multiple users/passkeys. I once worked > with a commercial full disk encryption product that allowed this ... You could store keying material on those iStorage datAshur sticks; they support a user and admin key. Just have one for each user. Alternatively, you could just store the keying material on the same disk, but on encrypted softraid partitions, each encrypted with its own key. Assuming there is already one softraid partition 'a' on the disk, you have support for 14 different users: an admin with the primary key material stored on his own USB drive, and 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', and 'p' to encrypt with softraid, storing another RAID chunk which stores the key material. And you may even be able to use 'b' but as I understand, this is reserved for swap space. Not ideal, but "extended to support multiple users/passkeys" seems incredibly complex. Perhaps an example scenario for such usage would help. As someone else pointed out, access to the encrypted partition basically requires root access to the system anyway. > and could even be managed over a network. So basically, an exploit waiting to happen. > Coming up with a solution to manage encryption keys over a network is > trivial ... Well go on then. Where's the code? > but I'd love to see the full disk encryption extended to support > multiple users with individual passkeys. Right. Any ideas on how to implement this?