Integrate with SmartCard-HSM Key Domain

[CardContact]

The latest SmartCard-HSM implements the concept of a key domain, in which a designated group of devices can share a group key.

I'd be interested to evaluate, how this mechanism could be used to gain access to a file share encrypted with gocryptfs.

Initially we could try to get that integrated with an external program that tunnels the password or master key into gocryptfs. The next level of integration would be to use a PKCS#11 interface to derive the encryption key from a master key stored on the device, but ideally (from the user's perspective) the code would directly interact with the device in order to obtain the master key.

Is support for hardware token on the list of planned features already ?

Andreas

[rfjakob]

So, gocryptfs used to have support for the Trezor HSM. It's disabled per default, and broken at the moment, unfortunately ( #261 ).

But yes, having support for hardware tokens is something I do want, and interfacing with smartcards sound appealing to me!

[rfjakob]

Note: yubikey integration is trivial using the ykchalresp cli utility:

$ ykchalresp -2 'Sample #2' | gocryptfs /path/to/my/fs /path/to/my/mnt

This is what you would call the "Initially" variant.

Is something similar available for SmartCard-HSM ?

[rfjakob]

Closing for inactivity.

Note: gocryptfs v2.0 gained support for fido2 tokens: #505