Merge pull request #148 from ebiggers/fscrypt-key-mgmt-improvements

Filesystem keyring and v2 encryption policy support

4 files changed, 1045 insertions, 0 deletions

diff --git a/keyring/fs_keyring.go b/keyring/fs_keyring.go
new file mode 100644
index 0000000..42c1648
--- /dev/null
+++ b/keyring/fs_keyring.go
@@ -0,0 +1,318 @@
+/*
+ * fs_keyring.go - Add/remove encryption policy keys to/from filesystem
+ *
+ * Copyright 2019 Google LLC
+ * Author: Eric Biggers (ebiggers@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package keyring
+
+/*
+#include <string.h>
+*/
+import "C"
+
+import (
+	"encoding/hex"
+	"log"
+	"os"
+	"os/user"
+	"sync"
+	"unsafe"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+
+	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/filesystem"
+	"github.com/google/fscrypt/security"
+	"github.com/google/fscrypt/util"
+)
+
+var (
+	fsKeyringSupported      bool
+	fsKeyringSupportedKnown bool
+	fsKeyringSupportedLock  sync.Mutex
+)
+
+func checkForFsKeyringSupport(mount *filesystem.Mount) bool {
+	dir, err := os.Open(mount.Path)
+	if err != nil {
+		log.Printf("Unexpected error opening %q. Assuming filesystem keyring is unsupported.",
+			mount.Path)
+		return false
+	}
+	defer dir.Close()
+
+	// FS_IOC_ADD_ENCRYPTION_KEY with a NULL argument will fail with ENOTTY
+	// if the ioctl isn't supported.  Otherwise it should fail with EFAULT.
+	//
+	// Note that there's no need to check for FS_IOC_REMOVE_ENCRYPTION_KEY
+	// support separately, since it's guaranteed to be available if
+	// FS_IOC_ADD_ENCRYPTION_KEY is.  There's also no need to check for
+	// support on every filesystem separately, since either the kernel
+	// supports the ioctls on all fscrypt-capable filesystems or it doesn't.
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, dir.Fd(), unix.FS_IOC_ADD_ENCRYPTION_KEY, 0)
+	if errno == unix.ENOTTY {
+		log.Printf("Kernel doesn't support filesystem keyring. Falling back to user keyring.")
+		return false
+	}
+	if errno == unix.EFAULT {
+		log.Printf("Detected support for filesystem keyring")
+	} else {
+		// EFAULT is expected, but as long as we didn't get ENOTTY the
+		// ioctl should be available.
+		log.Printf("Unexpected error from FS_IOC_ADD_ENCRYPTION_KEY(%q, NULL): %v", mount.Path, errno)
+	}
+	return true
+}
+
+// isFsKeyringSupported returns true if the kernel supports the ioctls to
+// add/remove fscrypt keys directly to/from the filesystem.  For support to be
+// detected, the given Mount must be for a filesystem that supports fscrypt.
+func isFsKeyringSupported(mount *filesystem.Mount) bool {
+	fsKeyringSupportedLock.Lock()
+	defer fsKeyringSupportedLock.Unlock()
+	if !fsKeyringSupportedKnown {
+		fsKeyringSupported = checkForFsKeyringSupport(mount)
+		fsKeyringSupportedKnown = true
+	}
+	return fsKeyringSupported
+}
+
+// buildKeySpecifier converts the key descriptor string to an FscryptKeySpecifier.
+func buildKeySpecifier(spec *unix.FscryptKeySpecifier, descriptor string) error {
+	descriptorBytes, err := hex.DecodeString(descriptor)
+	if err != nil {
+		return errors.Errorf("key descriptor %q is invalid", descriptor)
+	}
+	switch len(descriptorBytes) {
+	case unix.FSCRYPT_KEY_DESCRIPTOR_SIZE:
+		spec.Type = unix.FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR
+	case unix.FSCRYPT_KEY_IDENTIFIER_SIZE:
+		spec.Type = unix.FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER
+	default:
+		return errors.Errorf("key descriptor %q has unknown length", descriptor)
+	}
+	copy(spec.U[:], descriptorBytes)
+	return nil
+}
+
+type savedPrivs struct {
+	ruid, euid, suid int
+}
+
+// dropPrivsIfNeeded drops privileges (UIDs only) to the given user if we're
+// working with a v2 policy key, and if the user is different from the user the
+// process is currently running as.
+//
+// This is needed to change the effective UID so that FS_IOC_ADD_ENCRYPTION_KEY
+// and FS_IOC_REMOVE_ENCRYPTION_KEY will add/remove a claim to the key for the
+// intended user, and so that FS_IOC_GET_ENCRYPTION_KEY_STATUS will return the
+// correct status flags for the user.
+func dropPrivsIfNeeded(user *user.User, spec *unix.FscryptKeySpecifier) (*savedPrivs, error) {
+	if spec.Type == unix.FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR {
+		// v1 policy keys don't have any concept of user claims.
+		return nil, nil
+	}
+	targetUID := util.AtoiOrPanic(user.Uid)
+	ruid, euid, suid := security.GetUids()
+	if euid == targetUID {
+		return nil, nil
+	}
+	if err := security.SetUids(targetUID, targetUID, euid); err != nil {
+		return nil, err
+	}
+	return &savedPrivs{ruid, euid, suid}, nil
+}
+
+// restorePrivs restores root privileges if needed.
+func restorePrivs(privs *savedPrivs) error {
+	if privs != nil {
+		return security.SetUids(privs.ruid, privs.euid, privs.suid)
+	}
+	return nil
+}
+
+// validateKeyDescriptor validates that the correct key descriptor was provided.
+// This isn't really necessary; this is just an extra sanity check.
+func validateKeyDescriptor(spec *unix.FscryptKeySpecifier, descriptor string) (string, error) {
+	if spec.Type != unix.FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER {
+		// v1 policy key: the descriptor is chosen arbitrarily by
+		// userspace, so there's nothing to validate.
+		return descriptor, nil
+	}
+	// v2 policy key.  The descriptor ("identifier" in the kernel UAPI) is
+	// calculated as a cryptographic hash of the key itself.  The kernel
+	// ignores the provided value, and calculates and returns it itself.  So
+	// verify that the returned value is as expected.  If it's not, the key
+	// doesn't actually match the encryption policy we thought it was for.
+	actual := hex.EncodeToString(spec.U[:unix.FSCRYPT_KEY_IDENTIFIER_SIZE])
+	if descriptor == actual {
+		return descriptor, nil
+	}
+	return actual,
+		errors.Errorf("provided and actual key descriptors differ (%q != %q)",
+			descriptor, actual)
+}
+
+// fsAddEncryptionKey adds the specified encryption key to the specified filesystem.
+func fsAddEncryptionKey(key *crypto.Key, descriptor string,
+	mount *filesystem.Mount, user *user.User) error {
+
+	dir, err := os.Open(mount.Path)
+	if err != nil {
+		return err
+	}
+	defer dir.Close()
+
+	argKey, err := crypto.NewBlankKey(int(unsafe.Sizeof(unix.FscryptAddKeyArg{})) + key.Len())
+	if err != nil {
+		return err
+	}
+	defer argKey.Wipe()
+	arg := (*unix.FscryptAddKeyArg)(argKey.UnsafePtr())
+
+	if err = buildKeySpecifier(&arg.Key_spec, descriptor); err != nil {
+		return err
+	}
+
+	raw := unsafe.Pointer(uintptr(argKey.UnsafePtr()) + unsafe.Sizeof(*arg))
+	arg.Raw_size = uint32(key.Len())
+	C.memcpy(raw, key.UnsafePtr(), C.size_t(key.Len()))
+
+	savedPrivs, err := dropPrivsIfNeeded(user, &arg.Key_spec)
+	if err != nil {
+		return err
+	}
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, dir.Fd(),
+		unix.FS_IOC_ADD_ENCRYPTION_KEY, uintptr(argKey.UnsafePtr()))
+	restorePrivs(savedPrivs)
+
+	log.Printf("FS_IOC_ADD_ENCRYPTION_KEY(%q, %s, <raw>) = %v", mount.Path, descriptor, errno)
+	if errno != 0 {
+		return errors.Wrap(ErrKeyAdd, errno.Error())
+	}
+	if descriptor, err = validateKeyDescriptor(&arg.Key_spec, descriptor); err != nil {
+		fsRemoveEncryptionKey(descriptor, mount, user)
+		return err
+	}
+	return nil
+}
+
+// fsRemoveEncryptionKey removes the specified encryption key from the specified
+// filesystem.
+func fsRemoveEncryptionKey(descriptor string, mount *filesystem.Mount,
+	user *user.User) error {
+
+	dir, err := os.Open(mount.Path)
+	if err != nil {
+		return err
+	}
+	defer dir.Close()
+
+	var arg unix.FscryptRemoveKeyArg
+	if err = buildKeySpecifier(&arg.Key_spec, descriptor); err != nil {
+		return err
+	}
+
+	ioc := unix.FS_IOC_REMOVE_ENCRYPTION_KEY
+	iocName := "FS_IOC_REMOVE_ENCRYPTION_KEY"
+	var savedPrivs *savedPrivs
+	if user == nil {
+		ioc = unix.FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS
+		iocName = "FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS"
+	} else {
+		savedPrivs, err = dropPrivsIfNeeded(user, &arg.Key_spec)
+		if err != nil {
+			return err
+		}
+	}
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, dir.Fd(), uintptr(ioc), uintptr(unsafe.Pointer(&arg)))
+	restorePrivs(savedPrivs)
+
+	log.Printf("%s(%q, %s) = %v, removal_status_flags=0x%x",
+		iocName, mount.Path, descriptor, errno, arg.Removal_status_flags)
+	switch errno {
+	case 0:
+		switch {
+		case arg.Removal_status_flags&unix.FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS != 0:
+			return ErrKeyAddedByOtherUsers
+		case arg.Removal_status_flags&unix.FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY != 0:
+			return ErrKeyFilesOpen
+		}
+		return nil
+	case unix.ENOKEY:
+		// ENOKEY means either the key is completely missing or that the
+		// current user doesn't have a claim to it.  Distinguish between
+		// these two cases by getting the key status.
+		if user != nil {
+			status, _ := fsGetEncryptionKeyStatus(descriptor, mount, user)
+			if status == KeyPresentButOnlyOtherUsers {
+				return ErrKeyAddedByOtherUsers
+			}
+		}
+		return ErrKeyNotPresent
+	default:
+		return errors.Wrap(ErrKeyRemove, errno.Error())
+	}
+}
+
+// fsGetEncryptionKeyStatus gets the status of the specified encryption key on
+// the specified filesystem.
+func fsGetEncryptionKeyStatus(descriptor string, mount *filesystem.Mount,
+	user *user.User) (KeyStatus, error) {
+
+	dir, err := os.Open(mount.Path)
+	if err != nil {
+		return KeyStatusUnknown, err
+	}
+	defer dir.Close()
+
+	var arg unix.FscryptGetKeyStatusArg
+	err = buildKeySpecifier(&arg.Key_spec, descriptor)
+	if err != nil {
+		return KeyStatusUnknown, err
+	}
+
+	savedPrivs, err := dropPrivsIfNeeded(user, &arg.Key_spec)
+	if err != nil {
+		return KeyStatusUnknown, err
+	}
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, dir.Fd(),
+		unix.FS_IOC_GET_ENCRYPTION_KEY_STATUS, uintptr(unsafe.Pointer(&arg)))
+	restorePrivs(savedPrivs)
+
+	log.Printf("FS_IOC_GET_ENCRYPTION_KEY_STATUS(%q, %s) = %v, status=%d, status_flags=0x%x",
+		mount.Path, descriptor, errno, arg.Status, arg.Status_flags)
+	if errno != 0 {
+		return KeyStatusUnknown, errors.Wrap(ErrKeySearch, errno.Error())
+	}
+	switch arg.Status {
+	case unix.FSCRYPT_KEY_STATUS_ABSENT:
+		return KeyAbsent, nil
+	case unix.FSCRYPT_KEY_STATUS_PRESENT:
+		if arg.Key_spec.Type != unix.FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
+			(arg.Status_flags&unix.FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF) == 0 {
+			return KeyPresentButOnlyOtherUsers, nil
+		}
+		return KeyPresent, nil
+	case unix.FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED:
+		return KeyAbsentButFilesBusy, nil
+	default:
+		return KeyStatusUnknown,
+			errors.Wrapf(ErrKeySearch, "unknown key status (%d)", arg.Status)
+	}
+}
diff --git a/keyring/keyring.go b/keyring/keyring.go
new file mode 100644
index 0000000..5a75153
--- /dev/null
+++ b/keyring/keyring.go
@@ -0,0 +1,155 @@
+/*
+ * keyring.go - Add/remove encryption policy keys to/from kernel
+ *
+ * Copyright 2019 Google LLC
+ * Author: Eric Biggers (ebiggers@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+// Package keyring manages adding, removing, and getting the status of
+// encryption policy keys to/from the kernel.  Most public functions are in
+// keyring.go, and they delegate to either user_keyring.go or fs_keyring.go,
+// depending on whether a user keyring or a filesystem keyring is being used.
+//
+// v2 encryption policies always use the filesystem keyring.
+// v1 policies use the user keyring by default, but can be configured to use the
+// filesystem keyring instead (requires root and kernel v5.4+).
+package keyring
+
+import (
+	"encoding/hex"
+	"os/user"
+	"strconv"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+
+	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/filesystem"
+	"github.com/google/fscrypt/metadata"
+	"github.com/google/fscrypt/util"
+)
+
+// Keyring error values
+var (
+	ErrKeyAdd               = util.SystemError("could not add key to the keyring")
+	ErrKeyRemove            = util.SystemError("could not remove key from the keyring")
+	ErrKeyNotPresent        = errors.New("key not present or already removed")
+	ErrKeyFilesOpen         = errors.New("some files using the key are still open")
+	ErrKeyAddedByOtherUsers = errors.New("other users have added the key too")
+	ErrKeySearch            = errors.New("could not find key with descriptor")
+	ErrSessionUserKeying    = errors.New("user keyring not linked into session keyring")
+	ErrAccessUserKeyring    = errors.New("could not access user keyring")
+	ErrLinkUserKeyring      = util.SystemError("could not link user keyring into root keyring")
+)
+
+// Options are the options which specify *which* keyring the key should be
+// added/removed/gotten to, and how.
+type Options struct {
+	// Mount is the filesystem to which the key should be
+	// added/removed/gotten.
+	Mount *filesystem.Mount
+	// User is the user for whom the key should be added/removed/gotten.
+	User *user.User
+	// Service is the prefix to prepend to the description of the keys in
+	// user keyrings.  Not relevant for filesystem keyrings.
+	Service string
+	// UseFsKeyringForV1Policies is true if keys for v1 encryption policies
+	// should be put in the filesystem's keyring (if supported) rather than
+	// in the user's keyring.  Note that this makes AddEncryptionKey and
+	// RemoveEncryptionKey require root privileges.
+	UseFsKeyringForV1Policies bool
+}
+
+func shouldUseFsKeyring(descriptor string, options *Options) bool {
+	// For v1 encryption policy keys, use the filesystem keyring if
+	// use_fs_keyring_for_v1_policies is set in /etc/fscrypt.conf and the
+	// kernel supports it.
+	if len(descriptor) == hex.EncodedLen(unix.FSCRYPT_KEY_DESCRIPTOR_SIZE) {
+		return options.UseFsKeyringForV1Policies && isFsKeyringSupported(options.Mount)
+	}
+	// For v2 encryption policy keys, always use the filesystem keyring; the
+	// kernel doesn't support any other way.
+	return true
+}
+
+// AddEncryptionKey adds an encryption policy key to a kernel keyring.  It uses
+// either the filesystem keyring for the target Mount or the user keyring for
+// the target User.
+func AddEncryptionKey(key *crypto.Key, descriptor string, options *Options) error {
+	if err := util.CheckValidLength(metadata.PolicyKeyLen, key.Len()); err != nil {
+		return errors.Wrap(err, "policy key")
+	}
+	if shouldUseFsKeyring(descriptor, options) {
+		return fsAddEncryptionKey(key, descriptor, options.Mount, options.User)
+	}
+	return userAddKey(key, options.Service+descriptor, options.User)
+}
+
+// RemoveEncryptionKey removes an encryption policy key from a kernel keyring.
+// It uses either the filesystem keyring for the target Mount or the user
+// keyring for the target User.
+func RemoveEncryptionKey(descriptor string, options *Options, allUsers bool) error {
+	if shouldUseFsKeyring(descriptor, options) {
+		user := options.User
+		if allUsers {
+			user = nil
+		}
+		return fsRemoveEncryptionKey(descriptor, options.Mount, user)
+	}
+	return userRemoveKey(options.Service+descriptor, options.User)
+}
+
+// KeyStatus is an enum that represents the status of a key in a kernel keyring.
+type KeyStatus int
+
+// The possible values of KeyStatus.
+const (
+	KeyStatusUnknown = 0 + iota
+	KeyAbsent
+	KeyAbsentButFilesBusy
+	KeyPresent
+	KeyPresentButOnlyOtherUsers
+)
+
+func (status KeyStatus) String() string {
+	switch status {
+	case KeyStatusUnknown:
+		return "Unknown"
+	case KeyAbsent:
+		return "Absent"
+	case KeyAbsentButFilesBusy:
+		return "AbsentButFilesBusy"
+	case KeyPresent:
+		return "Present"
+	case KeyPresentButOnlyOtherUsers:
+		return "PresentButOnlyOtherUsers"
+	default:
+		return strconv.Itoa(int(status))
+	}
+}
+
+// GetEncryptionKeyStatus gets the status of an encryption policy key in a
+// kernel keyring.  It uses either the filesystem keyring for the target Mount
+// or the user keyring for the target User.
+func GetEncryptionKeyStatus(descriptor string, options *Options) (KeyStatus, error) {
+	if shouldUseFsKeyring(descriptor, options) {
+		return fsGetEncryptionKeyStatus(descriptor, options.Mount, options.User)
+	}
+	_, err := userFindKey(options.Service+descriptor, options.User)
+	if err != nil {
+		return KeyAbsent, nil
+	}
+	return KeyPresent, nil
+}
diff --git a/keyring/keyring_test.go b/keyring/keyring_test.go
new file mode 100644
index 0000000..8912556
--- /dev/null
+++ b/keyring/keyring_test.go
@@ -0,0 +1,350 @@
+/*
+ * keyring_test.go - tests for the keyring package
+ *
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package keyring
+
+import (
+	"os/user"
+	"strconv"
+	"testing"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/filesystem"
+	"github.com/google/fscrypt/metadata"
+	"github.com/google/fscrypt/util"
+)
+
+// Reader that always returns the same byte
+type ConstReader byte
+
+func (r ConstReader) Read(b []byte) (n int, err error) {
+	for i := range b {
+		b[i] = byte(r)
+	}
+	return len(b), nil
+}
+
+// Makes a key of the same repeating byte
+func makeKey(b byte, n int) (*crypto.Key, error) {
+	return crypto.NewFixedLengthKeyFromReader(ConstReader(b), n)
+}
+
+var (
+	defaultService          = unix.FSCRYPT_KEY_DESC_PREFIX
+	testUser, _             = util.EffectiveUser()
+	fakeValidPolicyKey, _   = makeKey(42, metadata.PolicyKeyLen)
+	fakeInvalidPolicyKey, _ = makeKey(42, metadata.PolicyKeyLen-1)
+	fakeV1Descriptor        = "0123456789abcdef"
+	fakeV2Descriptor, _     = crypto.ComputeKeyDescriptor(fakeValidPolicyKey, 2)
+)
+
+func assertKeyStatus(t *testing.T, descriptor string, options *Options,
+	expectedStatus KeyStatus) {
+	status, err := GetEncryptionKeyStatus(descriptor, options)
+	if err != nil {
+		t.Error(err)
+	}
+	if status != expectedStatus {
+		t.Errorf("Expected key status %v but got key status %v", expectedStatus, status)
+	}
+}
+
+// getTestMount retrieves the Mount for a test filesystem, or skips the test if
+// no test filesystem is available.
+func getTestMount(t *testing.T) *filesystem.Mount {
+	root, err := util.TestRoot()
+	if err != nil {
+		t.Skip(err)
+	}
+	mount, err := filesystem.GetMount(root)
+	if err != nil {
+		t.Skip(err)
+	}
+	return mount
+}
+
+// getTestMountV2 is like getTestMount, but it also checks that the
+// filesystem keyring and v2 encryption policies are supported.
+func getTestMountV2(t *testing.T) *filesystem.Mount {
+	mount := getTestMount(t)
+	if !isFsKeyringSupported(mount) {
+		t.Skip("No support for fs keyring, skipping test.")
+	}
+	return mount
+}
+
+func requireRoot(t *testing.T) {
+	if !util.IsUserRoot() {
+		t.Skip("Not root, skipping test.")
+	}
+}
+
+// getNonRootUsers checks for root permission, then returns the users for uids
+// 1000...1000+count-1.  If this fails, the test is skipped.
+func getNonRootUsers(t *testing.T, count int) []*user.User {
+	requireRoot(t)
+	users := make([]*user.User, count)
+	for i := 0; i < count; i++ {
+		uid := 1000 + i
+		user, err := user.LookupId(strconv.Itoa(uid))
+		if err != nil {
+			t.Skip(err)
+		}
+		users[i] = user
+	}
+	return users
+}
+
+func getOptionsForFsKeyringUsers(t *testing.T, numNonRootUsers int) (rootOptions *Options, userOptions []*Options) {
+	mount := getTestMountV2(t)
+	nonRootUsers := getNonRootUsers(t, numNonRootUsers)
+	rootOptions = &Options{
+		Mount: mount,
+		User:  testUser,
+	}
+	userOptions = make([]*Options, numNonRootUsers)
+	for i := 0; i < numNonRootUsers; i++ {
+		userOptions[i] = &Options{
+			Mount: mount,
+			User:  nonRootUsers[i],
+		}
+	}
+	return
+}
+
+// testAddAndRemoveKey does the common tests for adding+removing keys that are
+// run in multiple configurations (v1 policies with user keyring, v1 policies
+// with fs keyring, and v2 policies with fs keyring).
+func testAddAndRemoveKey(t *testing.T, descriptor string, options *Options) {
+
+	// Basic add, get status, and remove
+	if err := AddEncryptionKey(fakeValidPolicyKey, descriptor, options); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, descriptor, options, KeyPresent)
+	if err := RemoveEncryptionKey(descriptor, options, false); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, descriptor, options, KeyAbsent)
+	err := RemoveEncryptionKey(descriptor, options, false)
+	if err != ErrKeyNotPresent {
+		t.Error(err)
+	}
+
+	// Adding a key twice should succeed
+	if err := AddEncryptionKey(fakeValidPolicyKey, descriptor, options); err != nil {
+		t.Error(err)
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, descriptor, options); err != nil {
+		t.Error("AddEncryptionKey should not fail if key already exists")
+	}
+	RemoveEncryptionKey(descriptor, options, false)
+	assertKeyStatus(t, descriptor, options, KeyAbsent)
+
+	// Adding a key with wrong length should fail
+	if err := AddEncryptionKey(fakeInvalidPolicyKey, descriptor, options); err == nil {
+		RemoveEncryptionKey(descriptor, options, false)
+		t.Error("AddEncryptionKey should fail with wrong-length key")
+	}
+	assertKeyStatus(t, descriptor, options, KeyAbsent)
+}
+
+func TestUserKeyringDefaultService(t *testing.T) {
+	options := &Options{
+		User:                      testUser,
+		Service:                   defaultService,
+		UseFsKeyringForV1Policies: false,
+	}
+	testAddAndRemoveKey(t, fakeV1Descriptor, options)
+}
+
+func TestUserKeyringExt4Service(t *testing.T) {
+	options := &Options{
+		User:                      testUser,
+		Service:                   "ext4:",
+		UseFsKeyringForV1Policies: false,
+	}
+	testAddAndRemoveKey(t, fakeV1Descriptor, options)
+}
+
+func TestUserKeyringF2fsService(t *testing.T) {
+	options := &Options{
+		User:                      testUser,
+		Service:                   "f2fs:",
+		UseFsKeyringForV1Policies: false,
+	}
+	testAddAndRemoveKey(t, fakeV1Descriptor, options)
+}
+
+func TestFsKeyringV1PolicyKey(t *testing.T) {
+	requireRoot(t)
+	mount := getTestMountV2(t)
+	options := &Options{
+		Mount:                     mount,
+		User:                      testUser,
+		UseFsKeyringForV1Policies: true,
+	}
+	testAddAndRemoveKey(t, fakeV1Descriptor, options)
+}
+
+func TestV2PolicyKey(t *testing.T) {
+	mount := getTestMountV2(t)
+	options := &Options{
+		Mount: mount,
+		User:  testUser,
+	}
+	testAddAndRemoveKey(t, fakeV2Descriptor, options)
+}
+
+func TestV2PolicyKeyCannotBeRemovedByAnotherUser(t *testing.T) {
+	rootOptions, userOptions := getOptionsForFsKeyringUsers(t, 2)
+	user1Options := userOptions[0]
+	user2Options := userOptions[1]
+
+	// Add key as non-root user.
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, user1Options); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresentButOnlyOtherUsers)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+
+	// Key shouldn't be removable by another user, even root.
+	err := RemoveEncryptionKey(fakeV2Descriptor, user2Options, false)
+	if err != ErrKeyAddedByOtherUsers {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresentButOnlyOtherUsers)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+	err = RemoveEncryptionKey(fakeV2Descriptor, rootOptions, false)
+	if err != ErrKeyAddedByOtherUsers {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresentButOnlyOtherUsers)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+
+	if err := RemoveEncryptionKey(fakeV2Descriptor, user1Options, false); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyAbsent)
+}
+
+func TestV2PolicyKeyMultipleUsers(t *testing.T) {
+	rootOptions, userOptions := getOptionsForFsKeyringUsers(t, 2)
+	user1Options := userOptions[0]
+	user2Options := userOptions[1]
+
+	// Add key as two non-root users.
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, user1Options); err != nil {
+		t.Error(err)
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, user2Options); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+
+	// Remove key as one user.
+	err := RemoveEncryptionKey(fakeV2Descriptor, user1Options, false)
+	if err != ErrKeyAddedByOtherUsers {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresentButOnlyOtherUsers)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+
+	// Remove key as the other user.
+	err = RemoveEncryptionKey(fakeV2Descriptor, user2Options, false)
+	if err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyAbsent)
+}
+
+func TestV2PolicyKeyWrongDescriptor(t *testing.T) {
+	mount := getTestMountV2(t)
+	options := &Options{
+		Mount: mount,
+		User:  testUser,
+	}
+	// one wrong but valid hex, and one not valid hex
+	wrongV2Descriptors := []string{"abcdabcdabcdabcdabcdabcdabcdabcd", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
+
+	for _, desc := range wrongV2Descriptors {
+		if err := AddEncryptionKey(fakeValidPolicyKey, desc, options); err == nil {
+			RemoveEncryptionKey(desc, options, false)
+			t.Error("For v2 policy keys, AddEncryptionKey should fail if the descriptor is wrong")
+		}
+	}
+}
+
+func TestV2PolicyKeyBadMount(t *testing.T) {
+	options := &Options{
+		Mount: &filesystem.Mount{Path: "/NONEXISTENT_MOUNT"},
+		User:  testUser,
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, options); err == nil {
+		RemoveEncryptionKey(fakeV2Descriptor, options, false)
+		t.Error("AddEncryptionKey should have failed with bad mount!")
+	}
+	if err := RemoveEncryptionKey(fakeV2Descriptor, options, false); err == nil {
+		t.Error("RemoveEncryptionKey should have failed with bad mount!")
+	}
+	status, err := GetEncryptionKeyStatus(fakeV2Descriptor, options)
+	if err == nil {
+		t.Error("GetEncryptionKeyStatus should have failed with bad mount!")
+	}
+	if status != KeyStatusUnknown {
+		t.Error("GetEncryptionKeyStatus should have returned unknown status!")
+	}
+}
+
+func TestV2PolicyKeyRemoveForAllUsers(t *testing.T) {
+	rootOptions, userOptions := getOptionsForFsKeyringUsers(t, 2)
+	user1Options := userOptions[0]
+	user2Options := userOptions[1]
+
+	// Add key as two non-root users.
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, user1Options); err != nil {
+		t.Error(err)
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeV2Descriptor, user2Options); err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyPresent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyPresentButOnlyOtherUsers)
+
+	// Remove key for all users as root.
+	err := RemoveEncryptionKey(fakeV2Descriptor, rootOptions, true)
+	if err != nil {
+		t.Error(err)
+	}
+	assertKeyStatus(t, fakeV2Descriptor, user1Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, user2Options, KeyAbsent)
+	assertKeyStatus(t, fakeV2Descriptor, rootOptions, KeyAbsent)
+}
diff --git a/keyring/user_keyring.go b/keyring/user_keyring.go
new file mode 100644
index 0000000..71f519d
--- /dev/null
+++ b/keyring/user_keyring.go
@@ -0,0 +1,222 @@
+/*
+ * user_keyring.go - Add/remove encryption policy keys to/from user keyrings.
+ * This is the deprecated mechanism; see fs_keyring.go for the new mechanism.
+ *
+ * Copyright 2017 Google Inc.
+ * Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package keyring
+
+import (
+	"os/user"
+	"runtime"
+	"unsafe"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+
+	"fmt"
+	"log"
+
+	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/security"
+	"github.com/google/fscrypt/util"
+)
+
+// KeyType is always logon as required by filesystem encryption.
+const KeyType = "logon"
+
+// userAddKey puts the provided policy key into the user keyring for the
+// specified user with the provided description, and type logon.
+func userAddKey(key *crypto.Key, description string, targetUser *user.User) error {
+	runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring
+	defer runtime.UnlockOSThread()
+
+	// Create our payload (containing an FscryptKey)
+	payload, err := crypto.NewBlankKey(int(unsafe.Sizeof(unix.FscryptKey{})))
+	if err != nil {
+		return err
+	}
+	defer payload.Wipe()
+
+	// Cast the payload to an FscryptKey so we can initialize the fields.
+	fscryptKey := (*unix.FscryptKey)(payload.UnsafePtr())
+	// Mode is ignored by the kernel
+	fscryptKey.Mode = 0
+	fscryptKey.Size = uint32(key.Len())
+	copy(fscryptKey.Raw[:], key.Data())
+
+	keyringID, err := UserKeyringID(targetUser, true)
+	if err != nil {
+		return err
+	}
+	keyID, err := unix.AddKey(KeyType, description, payload.Data(), keyringID)
+	log.Printf("KeyctlAddKey(%s, %s, <data>, %d) = %d, %v",
+		KeyType, description, keyringID, keyID, err)
+	if err != nil {
+		return errors.Wrap(ErrKeyAdd, err.Error())
+	}
+	return nil
+}
+
+// userRemoveKey tries to remove a policy key from the user keyring with the
+// provided description. An error is returned if the key does not exist.
+func userRemoveKey(description string, targetUser *user.User) error {
+	runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring
+	defer runtime.UnlockOSThread()
+
+	keyID, err := userFindKey(description, targetUser)
+	if err != nil {
+		return ErrKeyNotPresent
+	}
+
+	// We use KEYCTL_INVALIDATE instead of KEYCTL_REVOKE because
+	// invalidating a key immediately removes it.
+	_, err = unix.KeyctlInt(unix.KEYCTL_INVALIDATE, keyID, 0, 0, 0)
+	log.Printf("KeyctlInvalidate(%d) = %v", keyID, err)
+	if err != nil {
+		return errors.Wrap(ErrKeyRemove, err.Error())
+	}
+	return nil
+}
+
+// userFindKey tries to locate a key in the user keyring with the provided
+// description. The key ID is returned if we can find the key. An error is
+// returned if the key does not exist.
+func userFindKey(description string, targetUser *user.User) (int, error) {
+	runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring
+	defer runtime.UnlockOSThread()
+
+	keyringID, err := UserKeyringID(targetUser, false)
+	if err != nil {
+		return 0, err
+	}
+
+	keyID, err := unix.KeyctlSearch(keyringID, KeyType, description, 0)
+	log.Printf("KeyctlSearch(%d, %s, %s) = %d, %v", keyringID, KeyType, description, keyID, err)
+	if err != nil {
+		return 0, errors.Wrap(ErrKeySearch, err.Error())
+	}
+	return keyID, err
+}
+
+// UserKeyringID returns the key id of the target user's user keyring. We also
+// ensure that the keyring will be accessible by linking it into the thread
+// keyring and linking it into the root user keyring (permissions allowing). If
+// checkSession is true, an error is returned if a normal user requests their
+// user keyring, but it is not in the current session keyring.
+func UserKeyringID(targetUser *user.User, checkSession bool) (int, error) {
+	runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring
+	defer runtime.UnlockOSThread()
+
+	uid := util.AtoiOrPanic(targetUser.Uid)
+	targetKeyring, err := userKeyringIDLookup(uid)
+	if err != nil {
+		return 0, errors.Wrap(ErrAccessUserKeyring, err.Error())
+	}
+
+	if !util.IsUserRoot() {
+		// Make sure the returned keyring will be accessible by checking
+		// that it is in the session keyring.
+		if checkSession && !isUserKeyringInSession(uid) {
+			return 0, ErrSessionUserKeying
+		}
+		return targetKeyring, nil
+	}
+
+	// Make sure the returned keyring will be accessible by linking it into
+	// the root user's user keyring (which will not be garbage collected).
+	rootKeyring, err := userKeyringIDLookup(0)
+	if err != nil {
+		return 0, errors.Wrap(ErrLinkUserKeyring, err.Error())
+	}
+
+	if rootKeyring != targetKeyring {
+		if err = keyringLink(targetKeyring, rootKeyring); err != nil {
+			return 0, errors.Wrap(ErrLinkUserKeyring, err.Error())
+		}
+	}
+	return targetKeyring, nil
+}
+
+func userKeyringIDLookup(uid int) (keyringID int, err error) {
+
+	// Our goals here are to:
+	//    - Find the user keyring (for the provided uid)
+	//    - Link it into the current thread keyring (so we can use it)
+	//    - Make no permanent changes to the process privileges
+	// Complicating this are the facts that:
+	//    - The value of KEY_SPEC_USER_KEYRING is determined by the ruid
+	//    - Keyring linking permissions use the euid
+	// So we have to change both the ruid and euid to make this work,
+	// setting the suid to 0 so that we can later switch back.
+	ruid, euid, suid := security.GetUids()
+	if ruid != uid || euid != uid {
+		if err = security.SetUids(uid, uid, 0); err != nil {
+			return
+		}
+		defer func() {
+			resetErr := security.SetUids(ruid, euid, suid)
+			if resetErr != nil {
+				err = resetErr
+			}
+		}()
+	}
+
+	// We get the value of KEY_SPEC_USER_KEYRING. Note that this will also
+	// trigger the creation of the uid keyring if it does not yet exist.
+	keyringID, err = unix.KeyctlGetKeyringID(unix.KEY_SPEC_USER_KEYRING, true)
+	log.Printf("keyringID(_uid.%d) = %d, %v", uid, keyringID, err)
+	if err != nil {
+		return 0, err
+	}
+
+	// We still want to use this keyring after our privileges are reset. So
+	// we link it into the thread keyring, preventing a loss of access.
+	//
+	// We must be under LockOSThread() for this to work reliably.  Note that
+	// we can't just use the process keyring, since it doesn't work reliably
+	// in Go programs, due to the Go runtime creating threads before the
+	// program starts and has a chance to create the process keyring.
+	if err = keyringLink(keyringID, unix.KEY_SPEC_THREAD_KEYRING); err != nil {
+		return 0, err
+	}
+
+	return keyringID, nil
+}
+
+// isUserKeyringInSession tells us if the user's uid keyring is in the current
+// session keyring.
+func isUserKeyringInSession(uid int) bool {
+	// We cannot use unix.KEY_SPEC_SESSION_KEYRING directly as that might
+	// create a session keyring if one does not exist.
+	sessionKeyring, err := unix.KeyctlGetKeyringID(unix.KEY_SPEC_SESSION_KEYRING, false)
+	log.Printf("keyringID(session) = %d, %v", sessionKeyring, err)
+	if err != nil {
+		return false
+	}
+
+	description := fmt.Sprintf("_uid.%d", uid)
+	id, err := unix.KeyctlSearch(sessionKeyring, "keyring", description, 0)
+	log.Printf("KeyctlSearch(%d, keyring, %s) = %d, %v", sessionKeyring, description, id, err)
+	return err == nil
+}
+
+func keyringLink(keyID int, keyringID int) error {
+	_, err := unix.KeyctlInt(unix.KEYCTL_LINK, keyID, keyringID, 0, 0)
+	log.Printf("KeyctlLink(%d, %d) = %v", keyID, keyringID, err)
+	return err
+}