google / fscryptctl Goto Github PK
View Code? Open in Web Editor NEWSmall C tool for Linux filesystem encryption
License: Apache License 2.0
fscryptctl's Issues
fscryptctl insert_key does not persist during switch_root
I would like to encrypt my root partition using fscrypt.
I insert the key in initramfs:
fscryptctl insert_key < /tmp/key.data
then mount my rootfs:
mount -t ubifs ubi0:rootfs /mnt
Finally excuting switch_root:
exec switch_root /mnt /sbin/init
The last command fails since the key does not survive the switch_root probably because /proc & /sys are remounted.
Is there anyway to persist the key during this stage ?
FAILED test.py::test_set_get_policy_aes_256_xts - Failed: DID NOT RAISE <class 'OSError'>
We starting to get such error on our tests:
root@i586:~/RPM/BUILD/fscryptctl-1.0.0# make test-all
make test-setup
make[1]: Entering directory '/usr/src/RPM/BUILD/fscryptctl-1.0.0'
if mountpoint -q "/tmp/fscryptctl-test-dir"; then \
sudo umount "/tmp/fscryptctl-test-dir"; \
fi
0.00user 0.00system 0:00.01elapsed 10%CPU (0avgtext+0avgdata 2060maxresident)k
0inputs+8outputs (0major+107minor)pagefaults 0swaps
rm -rf "/tmp/fscryptctl-test-dir"
rm -f "/tmp/fscryptctl-test-image"
dd if=/dev/zero of="/tmp/fscryptctl-test-image" bs=1M count=32
32+0 records in
32+0 records out
33554432 bytes (34 MB, 32 MiB) copied, 0.00999589 s, 3.4 GB/s
mkfs.ext4 -b 4096 -O encrypt -F "/tmp/fscryptctl-test-image"
mke2fs 1.46.4 (18-Aug-2021)
Discarding device blocks: done
Creating filesystem with 8192 4k blocks and 8192 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done
mkdir -p "/tmp/fscryptctl-test-dir"
sudo mount -o rw,loop "/tmp/fscryptctl-test-image" "/tmp/fscryptctl-test-dir"
0.00user 0.00system 0:00.00elapsed 0%CPU (0avgtext+0avgdata 2400maxresident)k
706inputs+8outputs (0major+186minor)pagefaults 0swaps
sudo sh -c 'chown $SUDO_UID:$SUDO_GID "/tmp/fscryptctl-test-dir"'
0.00user 0.00system 0:00.00elapsed 50%CPU (0avgtext+0avgdata 2328maxresident)k
0inputs+0outputs (0major+155minor)pagefaults 0swaps
/tmp/fscryptctl-test-dir is now set up.
make[1]: Leaving directory '/usr/src/RPM/BUILD/fscryptctl-1.0.0'
make test
make[1]: Entering directory '/usr/src/RPM/BUILD/fscryptctl-1.0.0'
TEST_DIR="/tmp/fscryptctl-test-dir" PATH="$PWD:$PATH" \
ENABLE_VALGRIND="" \
python3 -m pytest test.py -s -q
............F......................
========================================================================== FAILURES ===========================================================================
_______________________________________________________________ test_set_get_policy_aes_256_xts _______________________________________________________________
directory = '/tmp/fscryptctl-test-dir/test'
def test_set_get_policy_aes_256_xts(directory):
"""Tests getting and setting an encryption policy that uses AES-256-XTS
contents encryption and AES-256-CTS filenames encryption. (Note that this
is also the default setting, but this test tries it explicitly.)"""
prepare_encrypted_dir(directory, "--contents=AES-256-XTS",
"--filenames=AES-256-CTS")
check_policy(directory, contents="AES-256-XTS", filenames="AES-256-CTS")
# AES-256-XTS expects a 64-byte key. Shorter keys shouldn't work.
for key in [TEST_KEY_16B, TEST_KEY_32B]:
with pytest.raises(OSError):
> prepare_encrypted_dir(directory, "--contents=AES-256-XTS",
"--filenames=AES-256-CTS", key=key)
E Failed: DID NOT RAISE <class 'OSError'>
test.py:319: Failed
=================================================================== short test summary info ===================================================================
FAILED test.py::test_set_get_policy_aes_256_xts - Failed: DID NOT RAISE <class 'OSError'>
1 failed, 34 passed in 0.49s
make[1]: *** [Makefile:93: test] Error 1
make[1]: Leaving directory '/usr/src/RPM/BUILD/fscryptctl-1.0.0'
make: *** [Makefile:119: test-all] Error 2
fscryptctl compatibilty with mkfs.ubifs
hello I'm using fscryptctl v1.0.0 with an UBIFS on a RAW Nand Flash with a 5.10 kernel and mtd-utils 2.1.4:
- Create an encrypted ubifs using mkfs.ubifs as follow:
# dd if=/dev/urandom of=key.data count=64 bs=1
# mkdir -p rootfs/somedir
# echo "somedata" > rootfs/somedir/somefile
# mkfs.ubifs -m 4096 -e 253952 -c 4068 --cipher AES-256-XTS --key key.data -r rootfs rootfs.ubifs
mkfs.ubifs: fscrypt master key descriptor: 0x0dbfd8a3ba6c7e60
- Update ubifs volume:
# ubiupdatevol /dev/ubi0_2 -t
# ubiupdatevol /dev/ubi0_2 rootfs.ubifs
- Mount volume:
# mount -t ubifs /dev/ubi0_2 /mnt
# ls -l /mnt/
drwxr-xr-x 2 root root 232 Oct 29 17:44 9r,9Ko40w3Qg8kg9l3457CjT40nHIhWD
- Decrypt volume:
# fscryptctl add_key /mnt < key.data
77120bc70608b4aec343dc803a9a695c
# ls -l /mnt/
drwxr-xr-x 2 root root 232 Oct 29 17:44 9r,9Ko40w3Qg8kg9l3457CjT40nHIhWD
It doesn't look that the decryption is working !!
Add support for libfscryptctl.so creation.
Hi,
This user space tool is now active as a command-line tool. The.so file was required by some embedded devices, however, in order to link their programme.
Unable to write file on ecrypted directory with zero-ed key
In fscryptctl user space, after removing the key from key ring, the encrypted directories file names continues to be in clear form.
I am using fscrypt kernel space and fscryptctl at user space to make use of the fscrypt encryption tool.
I have encrypted a directory using add_key -> set_policy->created valid data files under the encryption directory.
Before I remove the key, I have confirmed the open files of the directory is closed properly.
Now, if I remove the key from the key ring, the file names of the encrypted directory continues to be in clear form. The file names are change to encrypted form only if I reboot the system or if I dorp the cache/inode using the system echo 2 >/proc/sys/vm/drop_caches.
fscryptctl version: v1.0.0-6-gab54426
Is there a way to handle this neatly and make the file names as encrypted name upon removing the key from kernel key ring? I do not wish to drop the entire system caches
I have tried this on both Ubuntu machine and my customised embedded system as well. The observation is same.
Error when unlocking filesystem.
I tested fscrypt with ext4, but I got this error:
root@pc1:/home/hamiltonp/Temp# fscrypt unlock mount/blah/
Enter custom passphrase for protector "test":
fscrypt unlock: permission denied: system error: could not insert key into the keyring
It persisted with password and keyfile method.
Incorrect file name
Hi,
I am using fscrypt with UBIFS and kernel 4.13 on an ARM CortexA7 monocore.
It appears that with a 32 padding, the filenames are incorrect when the names size is in between 16 and 31 inclusive. The error occurs on different ranges when the padding is different. Longer names or shorter names work fine.
I added logs in fname.c and it clearly indicates that the decoded name in fname_decrypt is padded to 32 when the expected decoded size is in between 16 and 31 while it is correct with other sizes.
On a Linux 4.10 (64bits laptop) I dont see the issue when running a ubi/ubifs/fscrypt in nandsim.
Release time?
Hello @josephlr, I'd like to package fscryptctl for Debian, but normally only released (tagged) versions are packaged. Do you plan to tag a release anytime soon? Thank you.
UBIFS symlink encryption bug
hello I'm using fscryptctl v1.0.0 with an UBIFS on a RAW Nand Flash with a 5.10 kernel version as follow:
- wipe out ubi0_1 volume:
# ubiupdatevol /dev/ubi0_1 -t
- mount volume:
# mount -t ubifs /dev/ubi0_1 /mnt/
- create an encryption key:
# dd if=/dev/urandom of=key.data count=64 bs=1
- encrypt the volume:
# fscryptctl add_key /mnt/ < key.data
# fscryptctl set_policy 5f7c86c2c8ff2b4997282355429c65ac /mnt/
- populate /mnt:
# cd /mnt
# mkdir -p bin usr/bin
# echo "something" > bin/somefile
# ln -s bin/somefile bin/file-symlink
# ls -l bin/
lrwxrwxrwx 1 root root 34 Oct 29 10:57 file-symlink -> bin/somefile
-rw-r--r-- 1 root root 10 Oct 29 10:57 somefile
# cd -
# umount /mnt/
- remount
# mount -t ubifs /dev/ubi0_1 /mnt/
# ls -l /mnt/
drwxr-xr-x 2 root root 352 Oct 29 10:57 G9,XDkQsQuNHrLit3x0YkbRc9ZigDrvREyWw+bwZ4I8LuNMi35u,aB
drwxr-xr-x 3 root root 256 Oct 29 10:57 ehRYWcZe9dFYscuAMJdbTFUyfDLdBBdnsqoWpNgi+2qmCH7rczEk3C
- enable the decryption:
# fscryptctl add_key /mnt/ < key.data
5f7c86c2c8ff2b4997282355429c65ac
- check the files:
# cat /mnt/bin/somefile
something
# ls -l /mnt/bin/
lrwxrwxrwx 1 root root 34 Oct 29 10:57 file-symlink -> 4???i?.N??????U?????U????:z?5"??
-rw-r--r-- 1 root root 10 Oct 29 10:57 somefile
Files are ok, symlinks are broken !
is this a known issue ?
Point to issues for design discussion
Document where design discussion occurs.
Setup Travis CI
Usage example incomplete
I found the usage example in README.md very helpful in illustrating the usage. But when I came to umount I was lost, as there wasn't an earlier corresponding mount nor an explanation of its role. I am guessing this is a workaround for doing drop_cache without privilege escalation. What would the earlier missing mount command look like in the given usage example?
Execution
How to run this code exactly, any help please with some instruction
remove policy
How can I remove policy or re-set policy when one of policy already set?
Add versioning support
Add a version according to http://semver.org/
This should probably just be something that prints with a --version flag.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.