Re: gnome-keyring Using external keys to unlock GKR
- From: Stef Walter <stefw gnome org>
- To: David Woodhouse <dwmw2 infradead org>, gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Using external keys to unlock GKR
- Date: Mon, 08 Dec 2014 20:45:06 +0100
On 08.12.2014 18:34, David Woodhouse wrote:
In https://bugzilla.gnome.org/show_bug.cgi?id=741247 I mentioned a
couple of use cases where we may want to use an *external* key to
decrypt the GKR storage, instead of a key generated from a user's
password.
One is network logins, where today's password might not match
yesterday's *but* there could be a consistent key in escrow on the
network which *could* be used to decrypt our storage.
The other is pam_pkcs11, where we authenticate using a key stored in a
smartcard... and we can actually use *that* key to decrypt the storage.
It would be really useful to be able to use those keys for decrypting
GKR's storage... and ecryptfs and other things, for that matter.
In the pam_pkcs11 case I imagine we'd want to pass a PKCS#11 URI through
the PAM stack to those modules which might then want to use that key to
attempt decryption.
In the case of a key coming from escrow with the Microsoft BackupKey
Remove Protocol, perhaps the PAM module there would also implement
PKCS#11 entry points and we'd *also* do it with a PKCS#11 URI.
Yes, this is useful. I would suggest however that you encrypt a secret
with the key on the smart card, and use that secret to encrypt the
password keyring ... rather than doing it directly using the smart card.
Doing it with the extra step solves all sorts of issues with sharing
PKCS#11 sessions between processes, etc. In fact if you can put an such
a secret as an AUTHTOK directly in the PAM stack after authenticating
with the smart card, and gnome-keyring will happily use it.
Stef
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
