headers
Thomas Cameron (Red Hat | 16 Jul 23:41
Favicon

Any way to integrate Microsoft PKI into dm-crypt?


All -

I have been asked if there is a way to incorporate Microsoft's PKI with
dm-crypt.  The story here is that with Microsoft's disk encryption, you
can decrypt a directory using an organization key.  An example is  when
an employee leaves and does not tell anyone what his/her passphrase was.

I know with LUKS it's easy to set up multiple passwords.  But is there a
way to use an x509 certificate to set up access?

Thanks!
--
Thomas Cameron, RHCE, RHCX, CNE, MCSE, MCT
Solutions Architect Team Lead, Central Region
512-241-0774 office / 512-585-5631 cell / 512-857-1345 fax
Permalink | Reply |
headers
wof | 17 Jul 00:59

Re: Any way to integrate Microsoft PKI into dm-crypt?

On Wednesday 16 July 2008 23:42:13 Thomas Cameron (Red Hat) wrote:
> All -
>
> I have been asked if there is a way to incorporate Microsoft's PKI with
> dm-crypt.  The story here is that with Microsoft's disk encryption, you
> can decrypt a directory using an organization key.  An example is  when
> an employee leaves and does not tell anyone what his/her passphrase was.
>
I'm not sure if I get your question. There is no native support from 
Microsoft's PKI to dmcrypt and the other way.

If you need a backup key for your disk encryption, you can backup the key. 
This is merely an organisational process.

dm-crypt is a device encryption, EFS is based on files and directories. This 
is a different. If you would like to have features like EFS in Linux mayby
eCryptfs (http://ecryptfs.sourceforge.net/) is the right thing for you. 
dm-crypt doesn't support x509, but you can use the certificates to encrypt
the used key. 

> I know with LUKS it's easy to set up multiple passwords.  But is there a
> way to use an x509 certificate to set up access?

Not direct, but you can use e.g. openssl to encrypt/decrypt a key with a x509 
certificate and use this key for luks or native dm-crpyt.

wof
Permalink | Reply |
headers
Thomas Cameron (Red Hat | 17 Jul 01:09
Favicon

Re: Any way to integrate Microsoft PKI into dm-crypt?


wof wrote:
> On Wednesday 16 July 2008 23:42:13 Thomas Cameron (Red Hat) wrote:
>> All -
>>
>> I have been asked if there is a way to incorporate Microsoft's PKI with
>> dm-crypt.  The story here is that with Microsoft's disk encryption, you
>> can decrypt a directory using an organization key.  An example is  when
>> an employee leaves and does not tell anyone what his/her passphrase was.
>>
> I'm not sure if I get your question. There is no native support from 
> Microsoft's PKI to dmcrypt and the other way.

I probably did not phrase it well, sorry.

> If you need a backup key for your disk encryption, you can backup the key. 
> This is merely an organisational process.

That I understand, but the customer is asking about doing something like
what Microsoft does when the key is lost, that an admin can still access
the encrypted information.

> dm-crypt is a device encryption, EFS is based on files and directories. This 
> is a different. If you would like to have features like EFS in Linux mayby
> eCryptfs (http://ecryptfs.sourceforge.net/) is the right thing for you. 
> dm-crypt doesn't support x509, but you can use the certificates to encrypt
> the used key. 
> 
> 
>
(Continue reading)

Permalink | Reply |
headers
Arno Wagner | 17 Jul 03:07

Re: Any way to integrate Microsoft PKI into dm-crypt?

On Wed, Jul 16, 2008 at 06:09:26PM -0500, Thomas Cameron (Red Hat) wrote:
> wof wrote:
> > On Wednesday 16 July 2008 23:42:13 Thomas Cameron (Red Hat) wrote:
> >> All -
> >>
> >> I have been asked if there is a way to incorporate Microsoft's PKI with
> >> dm-crypt.  The story here is that with Microsoft's disk encryption, you
> >> can decrypt a directory using an organization key.  An example is  when
> >> an employee leaves and does not tell anyone what his/her passphrase was.
> >>
> > I'm not sure if I get your question. There is no native support from 
> > Microsoft's PKI to dmcrypt and the other way.
> 
> I probably did not phrase it well, sorry.
> 
> > If you need a backup key for your disk encryption, you can backup the key. 
> > This is merely an organisational process.
> 
> That I understand, but the customer is asking about doing something like
> what Microsoft does when the key is lost, that an admin can still access
> the encrypted information.

The only way to do that is with LUKS and setting more than one key.
You can then call one of them the "organizational" key and store
it separately. With dm-cryot there is only one key and this approach
is not possible.

 
> > dm-crypt is a device encryption, EFS is based on files and directories. This 
> > is a different. If you would like to have features like EFS in Linux mayby
(Continue reading)

Permalink | Reply |

Gmane