Poldi, GPGME, and Auth Keys
Meik Michalke
m at gnupg.org
Wed Nov 19 15:51:17 CET 2025
hi,
Am Mittwoch, 19. November 2025, 14:37:37 CET schrieb Werner Koch via Gnupg-
devel:
> I don't think that we want to continue with Poldi. However, Gniibe
> wrote back in 2022 gpg-auth, which is a proper part of GnuPG. This
> should make it easier to use a token for authentication and drop the
> need for a password. It needs to be integrated into the display
> managers.
i would like to make things more complicated, if i may ;)
i'd love to use a token for login. however, i also have my home directory
encrypted using fscrypt, a feature of the ext4 file system:
https://github.com/google/fscrypt
this works well with passwords, because you can use your login password to
also decrypt an fscrypt directory, and there is a PAM module for fscrypt that
can do so automatically at login.
so if i used a token for login, i'd end up in an encrypted home (the same is
also true for logins with fingerprint sensors). so i would either need a
method to also type my password next to the token to unlock the file system,
or fscrypt would need to somehow support token auth as a method to unlock
encrypted file systems. the second approach feels much more elegant to me,
because i'd like to be able to use a token for unlocking file systems anyway.
fscrypt uses the password as a so called "protector". protectors encrypt the
actual encryption key for the file system. this way you can have multiple
protectors for the same file system, just like GnuPG can encrypt the same
symmetric encryption key for an email with various recipient keys. so it
should be possible to add a new protector class to fscrypt, like encrypting
the FS encryption key with gpg.
alternatively, after successful token auth, gpg-auth could decrypt a file in
memory containing the necessary password and hand it over to the existing
fscrypt PAM module? at that point, it wouldn't even have to be the login
password any longer but could be any kind of secret that was used as a
protector password.
viele grüße :: m.eik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20251119/54205140/attachment-0001.sig>
More information about the Gnupg-devel
mailing list