From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: James Johnston <johnstonj.public@codenest.com>
Cc: ecryptfs@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: Practical use of ecryptfs, encrypted keys, and TPM: how to convert existing user key to encrypted key?
Date: Mon, 28 Mar 2016 10:59:11 -0400 [thread overview]
Message-ID: <1459177151.2751.118.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <001301d187a0$95552f40$bfff8dc0$@codenest.com>
On Sat, 2016-03-26 at 20:46 +0000, James Johnston wrote:
> Hi,
>
> Short version of this question is: How do I convert a user key on the keyring
> storing ecryptfs authentication token / FEFEK to an encrypted key on keyring?
> (I.e. how to add an encrypted key with user-specified plaintext data, instead
> of a randomly-generated key - such as a pre-existing mounting passphrase for
> an existing ecryptfs file system.) Read on for why...
>
> I'm trying to figure out how to practically use ecryptfs with a TPM, and the
> information I'm finding is generally out-of-date/obsolete. All I've found is
> blog articles or IBM whitepapers from a few years ago that appear to use
> features that don't exist anymore / unmaintained features. I've gathered that
> the proper way to do this now involves trusted and encrypted kernel keys, as
> per:
Support for using trusted/encrypted ecryptfs keys was added by Roberto
Sassu as soon as trusted/encrypted keys was upstreamed. The only
documentation are those that you sited below.
> * https://www.kernel.org/doc/Documentation/security/keys-ecryptfs.txt
> * https://www.kernel.org/doc/Documentation/security/keys-trusted-encrypted.txt
>
> The strategy outlined in the above documentation indicates the idea would be to
> make a new trusted key, sealed with the TPM, and then use it to make a new
> encrypted key in the ecryptfs format, specifying the trusted key as the master.
> That's easy enough to follow, and does what I'm looking for, except...
>
> The problem is if the TPM dies, I need to recover my data (e.g. computer dies,
> and need to restore from encrypted backups). What I'm wanting to do is use a
> passphrase to decrypt data if the TPM is not available, to be used only in
> special circumstances.
Encrypted keys can be updated so that they're encrypted with a different
user or trusted key, but the key type (user | trusted) can not be
changed. Allowing the key type to change would kind of defeat the
purpose of using a trusted key in the first place.
There was some initial discussions about adding support for trusted key
migration, but nothing was ever posted.
Mimi
next prev parent reply other threads:[~2016-03-28 14:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-26 20:46 Practical use of ecryptfs, encrypted keys, and TPM: how to convert existing user key to encrypted key? James Johnston
2016-03-28 14:59 ` Mimi Zohar [this message]
2016-03-28 15:34 ` James Johnston
2016-03-28 17:02 ` Mimi Zohar
2016-03-28 23:25 ` James Johnston
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459177151.2751.118.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ecryptfs@vger.kernel.org \
--cc=johnstonj.public@codenest.com \
--cc=keyrings@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.