I'm trying to integrate PKI keys on a smartcard (using OpenSC) with eCryptFS mounts in order to facilitate stronger authorization checks.
Here's how I would encrypt the passphrase for the filesystem:
pkcs15-tool --read-public-key $KEYID > ~/userpub.key
<(generate 63 digit random string> | openssl rsautl -encrypt -inkey \
~/.userpub.key -pubin -out ~/.ecryptfskey
After being encrypted, the only way to unencrypt it is via the unexportable private key that is located on the smartcard.
Now, to actually mount the filesystem:
exec 3<<<`pkcs15-crypt --raw --decipher --pkcs1 -k $KEYID -i ~/ecryptfskey`
mount -t ecryptfs $DIR $DIR -o key=passphrase:passphrase_passwd_fd=3,(etc)
In addition, I can use a similar method to encrypt the filesystem passphrase using another user's public key, allowing sharing of files.
This seems like a secure method, since the unencrypted key is piped through a file descriptor to the mount command for a one-time read. Am I missing an obvious mistake with my methodology? Is there a safer way?
Please note, we are trying to enable file-level encryption for on-demand use. LUKS would not work, as our machines are always on and thus whole-drive encryption would be useless.
(Note: We are stuck with a version of eCryptFS that does not have the pkcs11-helper)
