blob: b47bcca2beca8db3e81cdda806d797af685c1c69 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
# Set policy_version 1
# Try to encrypt as root
[ERROR] fscrypt encrypt: user must be specified when run as root
When running this command as root, you usually still want to provision/remove
keys for a normal user's keyring and use a normal user's login passphrase as a
protector (so the corresponding files will be accessible for that user). This
can be done with --user=USERNAME. To use the root user's keyring or passphrase,
use --user=root.
# Try to use --user=root as user
[ERROR] fscrypt encrypt: could not access user keyring for "root": setting uids:
operation not permitted
You can only use --user=USERNAME to access the user keyring of another user if
you are running as root.
# Try to encrypt without user keyring in session keyring
[ERROR] fscrypt encrypt: user keyring for "fscrypt-test-user" is not linked into
the session keyring
This is usually the result of a bad PAM configuration. Either correct the
problem in your PAM stack, enable pam_keyinit.so, or run "keyctl link @u @s".
# Encrypt a directory
# Get dir status as user
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Get dir status as root
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Create files in v1-encrypted directory
# Try to lock v1-encrypted directory as user
[ERROR] fscrypt lock: inode cache can only be dropped as root
Either this command should be run as root to properly clear the inode cache, or
it should be run with --drop-caches=false (this may leave encrypted files and
directories in an accessible state).
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Try to lock v1-encrypted directory as root without --user
[ERROR] fscrypt lock: user must be specified when run as root
When running this command as root, you usually still want to provision/remove
keys for a normal user's keyring and use a normal user's login passphrase as a
protector (so the corresponding files will be accessible for that user). This
can be done with --user=USERNAME. To use the root user's keyring or passphrase,
use --user=root.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Lock v1-encrypted directory
Encrypted data removed from filesystem cache.
"MNT/dir" is now locked.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
cat: MNT/dir/file: No such file or directory
# Testing incompletely locking v1-encrypted directory
Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use.
Encrypted data removed from filesystem cache.
[ERROR] fscrypt lock: Directory was incompletely locked because some files are
still open. These files remain accessible.
Try killing any processes using files in the directory, for example using:
find "MNT/dir" -print0 | xargs -0 fuser -k
Then re-run:
fscrypt lock "MNT/dir"
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Partially (incompletely locked)
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
ext4 filesystem "MNT" has 1 protector and 1 policy
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
POLICY UNLOCKED PROTECTORS
desc1 No desc2
# Finishing locking v1-encrypted directory
Encrypted data removed from filesystem cache.
"MNT/dir" is now locked.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
cat: MNT/dir/file: No such file or directory
|
