Re: [Ecryptfs-devel] eCryptfs and Linux keys interface

Mon, 15 Oct 2007 22:19:12 -0700 

There is a very simple fix for this. The key can be added to the process
keyring instead of the user keyring.  A patch will need to be written to
load keys into ecryptfsd when it is started but it should be fairly simple.

Trevor

On 10/15/07, Alon Bar-Lev <[EMAIL PROTECTED]> wrote:
>
> On 10/15/07, Michael Halcrow <[EMAIL PROTECTED]> wrote:
> > On Mon, Oct 15, 2007 at 10:23:22PM +0200, Alon Bar-Lev wrote:
> > > This has nothing to do with TSPI... As you need passphrase to access
> > > TSPI, right? And what do you do with this passphrase? Having a
> > > security credentials without "something you know" somewhat make the
> > > whole idea redundant.
> >
> > TSPI seals your key to a system state, based on the PCR values of the
> > TPM. There is no additional protection of the key (or, more
> > accurately, of the ability to use the key) beyond the PCR values
> > having to match. The secret key is always locked in the TPM; no matter
> > what information is in the user's session keyring, it is useless
> > unless the system's PCR values are set correctly.
>
> So I can read the encrypted files at any point in time... I don't see
> any benefit in encryption using static keys.
>
> Alon.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> eCryptfs-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
eCryptfs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel

Reply via email to