Bug 741247 – Support storage decryption using external key

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 741247 - Support storage decryption using external key


Summary:	Support storage decryption using external key


Status:	RESOLVED OBSOLETE

Product:	gnome-keyring
Classification:	Core
Component:	pam
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-12-08 13:25 UTC by David Woodhouse
Modified:	2021-06-18 10:40 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description David Woodhouse 2014-12-08 13:25:45 UTC

Automatically unlocking using the login password obtained through the PAM stack is cute, but not always possible.

I have users who authenticate using pam_winbind with their Active Directory password. When their password hasn't changed, GKR works nicely. But sometimes, their password changed on their network and they need to log in with a password that *doesn't* suffice to unlock their GKR storage.

However, Active Directory supports a kind of 'key escrow' where if you have the current password you *can* get at a private key... so if we store a copy of the GKR storage session key encrypted with *that* key, we have a viable unlock path when the network password has changed on us.
cf. https://bugzilla.samba.org/show_bug.cgi?id=9979

Another situation in which the traditional password-based method doesn't work is when users are logging in using a smartcard and pam_pkcs11. But again there's a key on the smartcard which we can use to decrypt the GKR storage.

Comment 1 Stef Walter 2014-12-08 14:32:33 UTC

Yes, such a contribution to gnome-keyring would be very interesting.

Are you planning on working on this, and wish to track the work here? If not, perhaps posting to a mailing list would be a better place for discussion and/or looking for someone interested in working on this. Such mailing lists include:

 * desktop-devel-list: https://mail.gnome.org/mailman/listinfo/desktop-devel-list
 * gnome-keyring-list: https://mail.gnome.org/mailman/listinfo/gnome-keyring-list

Comment 2 David Woodhouse 2014-12-08 17:20:02 UTC

Realistically speaking I'm not going to get it done in the immediate future but yes, in the medium term I plan to work on this. Like the Samba/BKRP bug referenced above, this serves partly as a placeholder. I can remember the Samba use case but I don't want to forget the pam_pkcs11 one.

Comment 3 André Klapper 2021-06-18 10:40:52 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/

Thank you for your understanding and your help.