On 12/1/05, dreamwvr <[EMAIL PROTECTED]> wrote: > >I thought about a way of de-/encrypting home-directories transparently to > >users. I've got a vague idea how to realize this in a reasonable way: > > > >* Generate a key, associate it with a new svnd-image, prepare the image > >* Encrypt the key with the users login password, store it in /home > >* On login, decrypt the key with the password > >* Pass the decrypted key to vnconfig and mount the image on $HOME > >This has some consequences, like > >- creating a new login facility login_decrypt (or sth. similar) > >- writing a program for keyfile/image generation and password changing > >- modify vnconfig to read keys from other sources than stdin > > > >Since I already got some code, it might be smart to ask now for some > >feedback before heading into a completely wrong direction. > >There are probably better ways to accomplish this, so generally opinions > >regarding the issue would be cool. > > > >All the best, > >/Markus > Markus, > If the key used to decrypt some $USER is their password. It might be > useful to centralize via the master.passwd db. No extra file > needed in the $USER $HOME. eg: .hushlogin like scenario.
you want a different key for the disk and the user, otherwise the user can never change their password.
