In https://bugzilla.gnome.org/show_bug.cgi?id=741247 I mentioned a couple of use cases where we may want to use an *external* key to decrypt the GKR storage, instead of a key generated from a user's password. One is network logins, where today's password might not match yesterday's *but* there could be a consistent key in escrow on the network which *could* be used to decrypt our storage. The other is pam_pkcs11, where we authenticate using a key stored in a smartcard... and we can actually use *that* key to decrypt the storage. It would be really useful to be able to use those keys for decrypting GKR's storage... and ecryptfs and other things, for that matter. In the pam_pkcs11 case I imagine we'd want to pass a PKCS#11 URI through the PAM stack to those modules which might then want to use that key to attempt decryption. In the case of a key coming from escrow with the Microsoft BackupKey Remove Protocol, perhaps the PAM module there would also implement PKCS#11 entry points and we'd *also* do it with a PKCS#11 URI. Any coherent thoughts on how best to achieve this would be appreciated... -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature