On Mon, 2014-12-08 at 20:45 +0100, Stef Walter wrote: > > Yes, this is useful. I would suggest however that you encrypt a secret > with the key on the smart card, and use that secret to encrypt the > password keyring ... rather than doing it directly using the smart > card.
Oh $DEITY yes. You have a 'session key' which actually encrypts the storage, then you store a copy of that encrypted with the password (for the cases where that works), *and* a copy of it encrypted with whatever external keys you might have, like the pam_pkcs11 one and the Microsoft BKRP one. > Doing it with the extra step solves all sorts of issues with sharing > PKCS#11 sessions between processes, etc. In fact if you can put an > such a secret as an AUTHTOK directly in the PAM stack after > authenticating with the smart card, and gnome-keyring will happily use > it. That kind of thing is a possibility, yes. It certainly sounds easier than actually arranging access to PKCS#11 modules or "real" secrets. Thanks. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ gnome-keyring-list mailing list gnome-keyring-list@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-keyring-list
