blob: 747cf81de4d56a93330a195aac8a304df41db406 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# Set policy_version 1
# Try to encrypt as root
[ERROR] fscrypt encrypt: user must be specified when run as root
When running this command as root, you usually still want to provision/remove
keys for a normal user's keyring and use a normal user's login passphrase as a
protector (so the corresponding files will be accessible for that user). This
can be done with --user=USERNAME. To use the root user's keyring or passphrase,
use --user=root.
# Try to use --user=root as user
[ERROR] fscrypt encrypt: setting uids: operation not permitted: could not access
user keyring
You can only use --user=USERNAME to access the user keyring of another user if
you are running as root.
# Try to encrypt without user keyring in session keyring
[ERROR] fscrypt encrypt: user keyring not linked into session keyring
This is usually the result of a bad PAM configuration. Either correct the
problem in your PAM stack, enable pam_keyinit.so, or run "keyctl link @u @s".
# Encrypt a directory
# Get dir status as user
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Get dir status as root
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Create files in v1-encrypted directory
# Try to lock v1-encrypted directory as user
[ERROR] fscrypt lock: inode cache can only be dropped as root
Either this command should be run as root to properly clear the inode cache, or
it should be run with --drop-caches=false (this may leave encrypted files and
directories in an accessible state).
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Try to lock v1-encrypted directory as root without --user
[ERROR] fscrypt lock: user must be specified when run as root
When running this command as root, you usually still want to provision/remove
keys for a normal user's keyring and use a normal user's login passphrase as a
protector (so the corresponding files will be accessible for that user). This
can be done with --user=USERNAME. To use the root user's keyring or passphrase,
use --user=root.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Lock v1-encrypted directory
Encrypted data removed from filesystem cache.
"MNT/dir" is now locked.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
cat: MNT/dir/file: No such file or directory
|
