[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Paul Nelson nelson at thursby.com
Mon Jan 24 13:49:22 PST 2011 

Shawn,

Can you answer a very simple question?  Suppose I have a smart card, and I want to create a File Vault image using my smart card as the credentials.
I want to put the file vault image on a thumb drive so I can encrypt data on the thumb drive.

Is there a way to create such a file vault disk?  (assuming my smart card can be used for data encryption as a minimum)

Paul Nelson
Thursby Software Systems, Inc.


On Jan 21, 2011, at 3:41 PM, Shawn Geddis wrote:

> On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
>> Is there a similar command which can be used to substitute a cert for the Master Password?
>> 
>> Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
> 
> Henry,
> 
> I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
> 
> Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:  
> 
> Best Practices for Using FileVault 
> http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Using_FileVault_White_Paper-2.pdf
> 
> and a related whitepaper...
> 
> Best Practices for Data Protection
> http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Data_Protection_White_Paper-1.pdf
> 
> 
> As a short description here.... with a longer one in the FV document noted above...
> 
> I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault.  An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths:  a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key).  The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
> 
> Methods of accessing Encrypted Container:
> 	a) User Login		1) Entry of Username/Password at Login 
> 							PW -> PBKDF2: Password Based Key Derivation
> 							Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
> 							Data Key is used to encrypt/decrypt the blocks of the logical volume
> 
> 	b) FileVault Master	2) Escrow of the FV Identity is usually done by IT
> 							Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
> 							IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
> 							IT unlocks access to Container and resets User Access Credential or extracts data of interest.
> 
> User Keychains can be protected by:
> 	a) Password-based	PBKDF2 Key generated from password used for Keychain
> 						User's Default keychain for an account is created using Password used for account at creation time.
> 
> 	b) Smart Card-based	Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
> 
> 
> 
> -Shawn
> __________________________________________________
> Shawn Geddis				  			   geddis at me.com
> Security Consulting Engineer                              geddis at apple.com
> __________________________________________________
> MacOSForge Project Lead:                           Smart Card Services                                                        
> 	Web:	http://smartcardservices.macosforge.org/
> 	Lists:	http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
> 
> 
> 11921 Freedom Drive, Suite 600, Reston VA  20190-5634
> 
>> On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
>>> Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.  
>>> 
>>> How do you do that ?
>>> 
>>> $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
>>> 
>>> 
>>> I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this.  It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
>>> 
>>> $ systemkeychain
>>> Usage: 	systemkeychain -C [passphrase]  # (re)create system root keychain
>>> 		systemkeychain [-k destination-keychain] -s source-keychain ...
>>> 		systemkeychain -T token-protected-keychain-name
>>> 
>>> 
>>> -Shawn
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list      (Fed-talk at lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/fed-talk/nelson%40thursby.com
> 
> This email sent to nelson at thursby.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110124/82ed1a21/attachment.html>

More information about the SmartcardServices-Users mailing list