fscrypt.git/crypto/crypto_test.go, branch v0.2.7 Go tool for managing Linux filesystem encryption Metadata support for v2 encryption policies 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 2b25de6d445faefc28629603dd754aec9f744e60 Linux v5.4 and later supports v2 encryption policies. These have several advantages over v1 encryption policies: - Their encryption keys can be added/removed to/from the filesystem by non-root users, thus gaining the benefits of the filesystem keyring while also retaining support for non-root use. - They use a more standard, secure, and flexible key derivation function. Because of this, some future kernel-level fscrypt features will be implemented for v2 policies only. - They prevent a denial-of-service attack where a user could associate the wrong key with another user's encrypted files. Prepare the fscrypt tool to support v2 encryption policies by: - Adding a policy_version field to the EncryptionOptions, i.e. to the config file and to the policy metadata files. - Using the kernel-specified algorithm to compute the key descriptor for v2 policies. - Handling setting and getting v2 policies. Actually adding/removing the keys for v2 policies to/from the kernel is left for the next patch. 
Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.
Add keyring package 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 462d166d5355d33a05271d24de4d52f30dd62f67 In preparation for introducing support for the new filesystem-level keyrings, move the existing user keyring management code from security/keyring.go and crypto/crypto.go into a new package, 'keyring'. This package provides functions AddEncryptionKey, RemoveEncryptionKey, and GetEncryptionKeyStatus which delegate to either the filesystem keyring (added by a later patch) or to the user keyring. This provides a common interface to both types of keyrings, to the extent possible. 
In preparation for introducing support for the new filesystem-level
keyrings, move the existing user keyring management code from
security/keyring.go and crypto/crypto.go into a new package, 'keyring'.

This package provides functions AddEncryptionKey, RemoveEncryptionKey,
and GetEncryptionKeyStatus which delegate to either the filesystem
keyring (added by a later patch) or to the user keyring.  This provides
a common interface to both types of keyrings, to the extent possible.
Use latest fscrypt declarations from sys/unix 2019-11-27T19:28:14+00:00 Eric Biggers ebiggers@google.com 2019-11-27T19:28:14+00:00 82d01438a66212ce802721397a62c18a0b71b7ea Use the new name for fscrypt constants and structures which have been given a new name. Also use the named constant for the DIRECT_KEY fscrypt policy flag. No change in behavior. This is just preparing for future work. 
Use the new name for fscrypt constants and structures which have been
given a new name.

Also use the named constant for the DIRECT_KEY fscrypt policy flag.

No change in behavior.  This is just preparing for future work.
Fix various typos and grammatical errors (#141) 2019-09-09T02:46:59+00:00 ebiggers ebiggers@google.com 2019-09-09T02:46:59+00:00 6445dad7d66fa6a1867090fcd9602c98863649f6 These were found by a combination of manual review and a custom script that checks for common errors. Also removed an outdated sentence from the comment for setupBefore(). 
These were found by a combination of manual review and a custom script
that checks for common errors.

Also removed an outdated sentence from the comment for setupBefore().
 crypto: Move from libargon2 -> x/crypto/argon2 2018-02-09T11:36:11+00:00 Joseph Richey joerichey94@gmail.com 2018-02-08T10:37:42+00:00 5d71e1d16b069d7f6f22b7978f696af493a3c846 Use the golang library for the hashing function instead of the reference C implementation. This removes the dependancy on libargon2. As we are no longer doing our own error checking, we also eliminate those tests. 
Use the golang library for the hashing function instead of the reference
C implementation. This removes the dependancy on libargon2. As we are no
longer doing our own error checking, we also eliminate those tests.
crypto: Updated to include user parameter 2017-08-31T00:57:38+00:00 Joe Richey joerichey@google.com 2017-08-31T00:57:38+00:00 d685f6b232485a0dc0cc8b915561b9be37d32722 






crypto: Handle when "ulimit -l" is too low
2017-08-29T18:17:10+00:00

Joe Richey
joerichey94@gmail.com

2017-08-29T18:17:10+00:00

7568ca2aab4a3266eb95cbda64298e2292743c7b












cmd/fscrypt: purge command now clears cache
2017-08-18T05:49:44+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-08-16T01:11:29+00:00

151e8965fa3a9c8f65e316430f9df0fa763fb02d












crypto: Add more tests for bad key lengths
2017-07-20T01:10:12+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-07-20T00:54:12+00:00

a7eb527485dfe8871f303740dec9e67c2ac6bda1












Small fixes so "make lint" doesn't complain.
2017-07-18T06:16:00+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-07-18T06:16:00+00:00

744dbff34969ef612b219cde5b8f116f3ae3d26f