Why would I want to use public key anyway?

Asked by Dustin Kirkland 

eCryptfs has been well tested on EXT3, and it should work well on other popular local filesystems such as JFS, XFS, ReiserFS, and so forth. Changes in the 2.6.24 kernel make eCryptfs more functional on NFS and CIFS, although there is still a little more work to do in order to make eCryptfs function as well on networked filesystems as it currently works on local filesystems. There is a patch to help resolve an unlink bug with eCryptfs on NFS; this patch will eventually make it upstream once it is well tested.

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Dustin Kirkland 
Solved:
Last query:
Last reply:
Revision history for this message
Dustin Kirkland  (kirkland) said :
#1

From the FAQ:

Cryptographic keys derived from passphrases are generally worthless. Most passphrases that people can reasonably remember lack even the strength of a 64-bit symmetric key. The idea behind using a public key is to provide an opportunity for two-factor authentication; for instance, with OpenSSL RSA, the PEM file is ``something you have'' and the passphrase is ``something you know.'' This works best if you store your public key and your encrypted files on separate media.

The ``public key'' mode of operation in eCryptfs is actually more general than public key. It allows for arbitrary key modules to perform the File Encryption Key (FEK) encryption and decryption. The key module could do RSA. Or, it could retrieve an employee's key from a Domino server. Or, it could unseal the key protected by a Trusted Computing chip, which will only honor the unseal request if the machine is booted into a trusted state.

A key module now ships in ecryptfs-utils to interface with cryptographic tokens via PKCS#11. There is also a key module to interface with a TPM chip.