Can I use the same Public Key for SSH Login and eCryptfs encryption?

Asked by Andreas Hilboll

In the eCryptfs FAQ, I read that I can use Public Keys to encrypt my data. Now I'm wondering if it's somehow possible to use the SAME key for SSH login to a remote machine?

On the remote machine, I have SSH Public Key logins enabled (actually, enforced), and it would be great if eCryptfs could use that very same key to unlock the ~/Private directory in one go.

Any help is greatly appreciated :)

Andreas.

Question information

Language:
English Edit question
Status:
Answered
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Dustin Kirkland  (kirkland) said :
#1

Sorry, that's not possible.
On Jan 11, 2012 7:35 AM, "andreas" <email address hidden>
wrote:

> New question #184371 on eCryptfs:
> https://answers.launchpad.net/ecryptfs/+question/184371
>
> In the eCryptfs FAQ, I read that I can use Public Keys to encrypt my data.
> Now I'm wondering if it's somehow possible to use the SAME key for SSH
> login to a remote machine?
>
> On the remote machine, I have SSH Public Key logins enabled (actually,
> enforced), and it would be great if eCryptfs could use that very same key
> to unlock the ~/Private directory in one go.
>
> Any help is greatly appreciated :)
>
> Andreas.
>
> --
> You received this question notification because you are an answer
> contact for eCryptfs.
>

Revision history for this message
Andreas Hilboll (andreas-h) said :
#2

Do you mean it's not possible by design, or is it just not implemented?

In the latter case, I'd be willing to work on this ...

Revision history for this message
Dustin Kirkland  (kirkland) said :
#3

That's not the way ssh public key authentication works.

When you use public key authentication to ssh into a system, you don't
actually send your private key to the server. Rather, the SSH server
issues you a challenge. It gives you some random data, and asks you
to sign it with your private key, and then send it back to the server.
 The server verifies this signature using your public key you have
stored there.

eCryptfs, by default uses a symmetric passphrase, but as you have
found, it is possible (though rarely used) to use public/private keys.
 In doing so, however, you would actually need to transmit the private
key over to the server that needs to read and write eCryptfs data.

If you want to work on some automation, scripts, or utilities that
helps with that, I would be glad to review its design and
implementation for inclusion into ecryptfs-utils upstream. At this
point, the most user friendly implementation is to ask the remote user
to enter their secret wrapping passphrase at login. Personally, I
have no interest in writing this myself, though so without a sound
design, I'd be inclined to mark it wont-fix. If you propose a
reasonable design here, we can convert this question into a bug and
work it there. Thanks!

Revision history for this message
Jani Uusitalo (uusijani) said :
#4

If transmitting the private ssh key over to the server is what we want to avoid, would this work:

1. Encrypt the fs with a symmetric key, encrypt the symmetric key with the ssh public key, store the asymmetrically encrypted symmetric key outside the encrypted fs, throw away the unencrypted symmetric key.
2. When logging in (and after establishing a secure link), send the encrypted (symmetric) key to client for decryption, get back an unencrypted key to use for decrypting the fs.

(I'm only beginning to understand modern cryptography, so I may just have made a fool of myself, but what the hey, you live and learn.)

Can you help with this problem?

Provide an answer of your own, or ask Andreas Hilboll for more information if necessary.

To post a message you must log in.