Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/security/keys/ecryptfs.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) ==========================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) Encrypted keys for the eCryptfs filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) ==========================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) file using a randomly generated File Encryption Key (FEK).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEKEK)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) either in kernel space or in user space with a daemon called 'ecryptfsd'.  In
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) the former case the operation is performed directly by the kernel CryptoAPI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) using a key, the FEKEK, derived from a user prompted passphrase;  in the latter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) to support other mechanisms like public key cryptography, PKCS#11 and TPM based
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) operations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) The data structure defined by eCryptfs to contain information required for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) FEK decryption is called authentication token and, currently, can be stored in a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) kernel key of the 'user' type, inserted in the user's session specific keyring
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) by the userspace utility 'mount.ecryptfs' shipped with the package
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 'ecryptfs-utils'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) The 'encrypted' key type has been extended with the introduction of the new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) format 'ecryptfs' in order to be used in conjunction with the eCryptfs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) filesystem.  Encrypted keys of the newly introduced format store an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) authentication token in its payload with a FEKEK randomly generated by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) kernel and protected by the parent master key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) In order to avoid known-plaintext attacks, the datablob obtained through
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) commands 'keyctl print' or 'keyctl pipe' does not contain the overall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) authentication token, which content is well known, but only the FEKEK in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) encrypted form.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) The eCryptfs filesystem may really benefit from using encrypted keys in that the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) required key can be securely generated by an Administrator and provided at boot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) time after the unsealing of a 'trusted' key in order to perform the mount in a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) controlled environment.  Another advantage is that the key is not exposed to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) threats of malicious software, because it is available in clear form only at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) kernel level.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) Usage::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42)    keyctl add encrypted name "new ecryptfs key-type:master-key-name keylen" ring
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)    keyctl add encrypted name "load hex_blob" ring
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)    keyctl update keyid "update key-type:master-key-name"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) Where::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	name:= '<16 hexadecimal characters>'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 	key-type:= 'trusted' | 'user'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 	keylen:= 64
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) Example of encrypted key usage with the eCryptfs filesystem:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) Create an encrypted key "1000100010001000" of length 64 bytes with format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 'ecryptfs' and save it using a previously loaded user key "test"::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)     $ keyctl add encrypted 1000100010001000 "new ecryptfs user:test 64" @u
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)     19184530
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)     $ keyctl print 19184530
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)     ecryptfs user:test 64 490045d4bfe48c99f0d465fbbbb79e7500da954178e2de0697
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)     dd85091f5450a0511219e9f7cd70dcd498038181466f78ac8d4c19504fcc72402bfc41c2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)     f253a41b7507ccaa4b2b03fff19a69d1cc0b16e71746473f023a95488b6edfd86f7fdd40
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)     9d292e4bacded1258880122dd553a661
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)     $ keyctl pipe 19184530 > ecryptfs.blob
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) Mount an eCryptfs filesystem using the created encrypted key "1000100010001000"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) into the '/secret' directory::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)     $ mount -i -t ecryptfs -oecryptfs_sig=1000100010001000,\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)       ecryptfs_cipher=aes,ecryptfs_key_bytes=32 /secret /secret
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.