# Set policy_version 1 # Try to encrypt as root [ERROR] fscrypt encrypt: user must be specified when run as root When running this command as root, you usually still want to provision/remove keys for a normal user's keyring and use a normal user's login passphrase as a protector (so the corresponding files will be accessible for that user). This can be done with --user=USERNAME. To use the root user's keyring or passphrase, use --user=root. # Try to use --user=root as user [ERROR] fscrypt encrypt: setting uids: operation not permitted: could not access user keyring You can only use --user=USERNAME to access the user keyring of another user if you are running as root. # Try to encrypt without user keyring in session keyring [ERROR] fscrypt encrypt: user keyring not linked into session keyring This is usually the result of a bad PAM configuration. Either correct the problem in your PAM stack, enable pam_keyinit.so, or run "keyctl link @u @s". # Encrypt a directory # Get dir status as user "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: Yes Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" # Get dir status as root "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: Yes Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" # Create files in v1-encrypted directory # Try to lock v1-encrypted directory as user [ERROR] fscrypt lock: inode cache can only be dropped as root Either this command should be run as root to properly clear the inode cache, or it should be run with --drop-caches=false (this may leave encrypted files and directories in an accessible state). "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: Yes Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" # Try to lock v1-encrypted directory as root without --user [ERROR] fscrypt lock: user must be specified when run as root When running this command as root, you usually still want to provision/remove keys for a normal user's keyring and use a normal user's login passphrase as a protector (so the corresponding files will be accessible for that user). This can be done with --user=USERNAME. To use the root user's keyring or passphrase, use --user=root. "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: Yes Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" # Lock v1-encrypted directory Encrypted data removed from filesystem cache. "MNT/dir" is now locked. "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: No Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" cat: MNT/dir/file: No such file or directory # Testing incompletely locking v1-encrypted directory Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use. Encrypted data removed from filesystem cache. [ERROR] fscrypt lock: some files using the key are still open Directory was incompletely locked because some files are still open. These files remain accessible. Try killing any processes using files in the directory, then re-running 'fscrypt lock'. "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: Partially (incompletely locked) Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" ext4 filesystem "MNT" has 1 protector and 1 policy PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" POLICY UNLOCKED PROTECTORS desc1 No desc2 # Finishing locking v1-encrypted directory Encrypted data removed from filesystem cache. "MNT/dir" is now locked. "MNT/dir" is encrypted with fscrypt. Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 Unlocked: No Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" cat: MNT/dir/file: No such file or directory