Diffstat (limited to 'Documentation/security/keys-ecryptfs.txt')
1 files changed, 0 insertions, 68 deletions
diff --git a/Documentation/security/keys-ecryptfs.txt b/Documentation/security/keys-ecryptfs.txt
deleted file mode 100644
@@ -1,68 +0,0 @@
- Encrypted keys for the eCryptfs filesystem
-ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
-file using a randomly generated File Encryption Key (FEK).
-Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK)
-either in kernel space or in user space with a daemon called 'ecryptfsd'. In
-the former case the operation is performed directly by the kernel CryptoAPI
-using a key, the FEFEK, derived from a user prompted passphrase; in the latter
-the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
-to support other mechanisms like public key cryptography, PKCS#11 and TPM based
-The data structure defined by eCryptfs to contain information required for the
-FEK decryption is called authentication token and, currently, can be stored in a
-kernel key of the 'user' type, inserted in the user's session specific keyring
-by the userspace utility 'mount.ecryptfs' shipped with the package
-The 'encrypted' key type has been extended with the introduction of the new
-format 'ecryptfs' in order to be used in conjunction with the eCryptfs
-filesystem. Encrypted keys of the newly introduced format store an
-authentication token in its payload with a FEFEK randomly generated by the
-kernel and protected by the parent master key.
-In order to avoid known-plaintext attacks, the datablob obtained through
-commands 'keyctl print' or 'keyctl pipe' does not contain the overall
-authentication token, which content is well known, but only the FEFEK in
-The eCryptfs filesystem may really benefit from using encrypted keys in that the
-required key can be securely generated by an Administrator and provided at boot
-time after the unsealing of a 'trusted' key in order to perform the mount in a
-controlled environment. Another advantage is that the key is not exposed to
-threats of malicious software, because it is available in clear form only at
- keyctl add encrypted name "new ecryptfs key-type:master-key-name keylen" ring
- keyctl add encrypted name "load hex_blob" ring
- keyctl update keyid "update key-type:master-key-name"
-name:= '<16 hexadecimal characters>'
-key-type:= 'trusted' | 'user'
-Example of encrypted key usage with the eCryptfs filesystem:
-Create an encrypted key "1000100010001000" of length 64 bytes with format
-'ecryptfs' and save it using a previously loaded user key "test":
- $ keyctl add encrypted 1000100010001000 "new ecryptfs user:test 64" @u
- $ keyctl print 19184530
- ecryptfs user:test 64 490045d4bfe48c99f0d465fbbbb79e7500da954178e2de0697
- $ keyctl pipe 19184530 > ecryptfs.blob
-Mount an eCryptfs filesystem using the created encrypted key "1000100010001000"
-into the '/secret' directory:
- $ mount -i -t ecryptfs -oecryptfs_sig=1000100010001000,\
- ecryptfs_cipher=aes,ecryptfs_key_bytes=32 /secret /secret