[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Paul Nelson
nelson at thursby.com
Mon Jan 24 13:49:22 PST 2011
Shawn,
Can you answer a very simple question? Suppose I have a smart card, and I want to create a File Vault image using my smart card as the credentials.
I want to put the file vault image on a thumb drive so I can encrypt data on the thumb drive.
Is there a way to create such a file vault disk? (assuming my smart card can be used for data encryption as a minimum)
Paul Nelson
Thursby Software Systems, Inc.
On Jan 21, 2011, at 3:41 PM, Shawn Geddis wrote:
> On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
>> Is there a similar command which can be used to substitute a cert for the Master Password?
>>
>> Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
>
> Henry,
>
> I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
>
> Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:
>
> Best Practices for Using FileVault
> http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Using_FileVault_White_Paper-2.pdf
>
> and a related whitepaper...
>
> Best Practices for Data Protection
> http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Data_Protection_White_Paper-1.pdf
>
>
> As a short description here.... with a longer one in the FV document noted above...
>
> I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
>
> Methods of accessing Encrypted Container:
> a) User Login 1) Entry of Username/Password at Login
> PW -> PBKDF2: Password Based Key Derivation
> Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
> Data Key is used to encrypt/decrypt the blocks of the logical volume
>
> b) FileVault Master 2) Escrow of the FV Identity is usually done by IT
> Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
> IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
> IT unlocks access to Container and resets User Access Credential or extracts data of interest.
>
> User Keychains can be protected by:
> a) Password-based PBKDF2 Key generated from password used for Keychain
> User's Default keychain for an account is created using Password used for account at creation time.
>
> b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
>
>
>
> -Shawn
> __________________________________________________
> Shawn Geddis geddis at me.com
> Security Consulting Engineer geddis at apple.com
> __________________________________________________
> MacOSForge Project Lead: Smart Card Services
> Web: http://smartcardservices.macosforge.org/
> Lists: http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
>
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
>> On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
>>> Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
>>>
>>> How do you do that ?
>>>
>>> $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
>>>
>>>
>>> I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
>>>
>>> $ systemkeychain
>>> Usage: systemkeychain -C [passphrase] # (re)create system root keychain
>>> systemkeychain [-k destination-keychain] -s source-keychain ...
>>> systemkeychain -T token-protected-keychain-name
>>>
>>>
>>> -Shawn
>
>
>
>
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (Fed-talk at lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/fed-talk/nelson%40thursby.com
>
> This email sent to nelson at thursby.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110124/82ed1a21/attachment.html>
More information about the SmartcardServices-Users
mailing list