[Owncloud] Encryption

[Dirk Kastens]

Hi Frank,

> ownCloud updates the encrypted key, which is used to encrypt the files, every-time a user or admin changes the password. So password change is possible.
> But this only works for local accounts at the moment and doesn´t work with ldap users because we don´t get notification if a password is changed remotely. The only solution to solve this is to store the password locally and compare it with the ldap login password at the moment the user logs in and update the encrypted key. This would be a huge security problem obviously.
>
> Because of that encryption and ldap are both switched off by default currently. We don´t recommend that admins turn on both at the same time because of the reason you just mentioned. I will add a warning to the code about that.
>
> Sorry for the trouble. We try to improve the encryption significantly in the next version and we hope to find a solution for ldap users.

OK, but I don't understand, why you use the user's password as the key. 
In the encryption module of Drupal, for example, you have to enter the 
encryption key in the admin menu, and it is stored in the database. 
Other systems are using a hidden file for the key. But the user password 
is really a bad idea, IMO

Dirk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4814 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20120522/ea301f04/attachment.bin>