[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: disk encryption on login
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: disk encryption on login
- From: dreamwvr <dreamwvr_(_at_)_dreamwvr_(_dot_)_com>
- Date: Thu, 01 Dec 2005 11:50:19 -0700
>I thought about a way of de-/encrypting home-directories transparently to
>users. I've got a vague idea how to realize this in a reasonable way:
>* Generate a key, associate it with a new svnd-image, prepare the image
>* Encrypt the key with the users login password, store it in /home
>* On login, decrypt the key with the password
>* Pass the decrypted key to vnconfig and mount the image on $HOME
>This has some consequences, like
>- creating a new login facility login_decrypt (or sth. similar)
>- writing a program for keyfile/image generation and password changing
>- modify vnconfig to read keys from other sources than stdin
>Since I already got some code, it might be smart to ask now for some
>feedback before heading into a completely wrong direction.
>There are probably better ways to accomplish this, so generally opinions
>regarding the issue would be cool.
>All the best,
If the key used to decrypt some $USER is their password. It might be
useful to centralize via the master.passwd db. No extra file
needed in the $USER $HOME. eg: .hushlogin like scenario.
Then we add a switch in 'passwd' switches to enable this feature
something like -K is used with kerberos. Say --encrhome whatever..
So it uses say getpwent() to get pwd for comparison. Then
if there is a exact_match we decrypt the user's $HOME image.
otherwise it does not bother doing anything like that..
(I might be missing something as well since it was a late night..)
Since if they know the password they are in anyhow.
It would definately be a nice to have ability.