~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/keys/ecryptfs.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/security/keys/ecryptfs.rst (Version linux-6.12-rc7) and /Documentation/security/keys/ecryptfs.rst (Version policy-sample)


  1 ==========================================        
  2 Encrypted keys for the eCryptfs filesystem        
  3 ==========================================        
  4                                                   
  5 ECryptfs is a stacked filesystem which transpa    
  6 file using a randomly generated File Encryptio    
  7                                                   
  8 Each FEK is in turn encrypted with a File Encr    
  9 either in kernel space or in user space with a    
 10 the former case the operation is performed dir    
 11 using a key, the FEKEK, derived from a user pr    
 12 the FEK is encrypted by 'ecryptfsd' with the h    
 13 to support other mechanisms like public key cr    
 14 operations.                                       
 15                                                   
 16 The data structure defined by eCryptfs to cont    
 17 FEK decryption is called authentication token     
 18 kernel key of the 'user' type, inserted in the    
 19 by the userspace utility 'mount.ecryptfs' ship    
 20 'ecryptfs-utils'.                                 
 21                                                   
 22 The 'encrypted' key type has been extended wit    
 23 format 'ecryptfs' in order to be used in conju    
 24 filesystem.  Encrypted keys of the newly intro    
 25 authentication token in its payload with a FEK    
 26 kernel and protected by the parent master key.    
 27                                                   
 28 In order to avoid known-plaintext attacks, the    
 29 commands 'keyctl print' or 'keyctl pipe' does     
 30 authentication token, which content is well kn    
 31 encrypted form.                                   
 32                                                   
 33 The eCryptfs filesystem may really benefit fro    
 34 required key can be securely generated by an A    
 35 time after the unsealing of a 'trusted' key in    
 36 controlled environment.  Another advantage is     
 37 threats of malicious software, because it is a    
 38 kernel level.                                     
 39                                                   
 40 Usage::                                           
 41                                                   
 42    keyctl add encrypted name "new ecryptfs key    
 43    keyctl add encrypted name "load hex_blob" r    
 44    keyctl update keyid "update key-type:master    
 45                                                   
 46 Where::                                           
 47                                                   
 48         name:= '<16 hexadecimal characters>'      
 49         key-type:= 'trusted' | 'user'             
 50         keylen:= 64                               
 51                                                   
 52                                                   
 53 Example of encrypted key usage with the eCrypt    
 54                                                   
 55 Create an encrypted key "1000100010001000" of     
 56 'ecryptfs' and save it using a previously load    
 57                                                   
 58     $ keyctl add encrypted 1000100010001000 "n    
 59     19184530                                      
 60                                                   
 61     $ keyctl print 19184530                       
 62     ecryptfs user:test 64 490045d4bfe48c99f0d4    
 63     dd85091f5450a0511219e9f7cd70dcd49803818146    
 64     f253a41b7507ccaa4b2b03fff19a69d1cc0b16e717    
 65     9d292e4bacded1258880122dd553a661              
 66                                                   
 67     $ keyctl pipe 19184530 > ecryptfs.blob        
 68                                                   
 69 Mount an eCryptfs filesystem using the created    
 70 into the '/secret' directory::                    
 71                                                   
 72     $ mount -i -t ecryptfs -oecryptfs_sig=1000    
 73       ecryptfs_cipher=aes,ecryptfs_key_bytes=3    
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php