From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id 4BB067D57F for ; Mon, 17 Sep 2018 09:43:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727747AbeIQPKG (ORCPT ); Mon, 17 Sep 2018 11:10:06 -0400 Received: from metis.tribut.de ([5.9.121.85]:38635 "EHLO metis.tribut.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726979AbeIQPKF (ORCPT ); Mon, 17 Sep 2018 11:10:05 -0400 X-Greylist: delayed 520 seconds by postgrey-1.27 at vger.kernel.org; Mon, 17 Sep 2018 11:10:04 EDT Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender) by metis.tribut.de (Postfix) with ESMTPSA id 87DFB34247F; Mon, 17 Sep 2018 11:34:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eckhofer.com; s=dkim; t=1537176888; bh=xEH3rx11BsPD/UHBR/TqhtJ7Namz9iGk0GCo5Ku+o3M=; h=Date:From:To:Cc:Subject; b=VHjRmclNINrS20Le8IJUXpzfg1cfiqpTTD8tgmImrGRgiPWEVdSdT2QCv3lvv1tDi CnbPD+OZ4Fxeu7yiq6Todu4MSEtUY//wUFzF9BUtuaCgp5+sziHDauK0b/SjIgPgKU 18H9Jrlp6XCyHdbkbzKiwOCYrFy+ZqpCFDpC/hHMIzDq0EYdbfcicmOUP1W10VomCD TAI90Uh6FFWFRBbk5wcvv1SpxQ1DDAT4LOJ4zavbPmc01OG8YVtbJM4ERMJSKg2BaT y8ETEGfzwYpTXqAEO+dQt8LA5XrXtd+FcfgDQE3290DSNLWLVS+/yAigpv+pT+Qscj u5CnZO8ivkyCw== Received: from felix by pollux with local (Exim 4.90_1) (envelope-from ) id 1g1pvc-0007U3-58; Mon, 17 Sep 2018 11:34:48 +0200 Date: Mon, 17 Sep 2018 11:34:48 +0200 From: Felix Eckhofer To: Jonathan Corbet Cc: Felix Eckhofer , linux-doc@vger.kernel.org Subject: [PATCH] doc: Fix acronym "FEKEK" in ecryptfs Message-ID: <20180917093446.GA28595@pollux.tribut.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt X-Clacks-Overhead: GNU Terry Pratchett Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org "FEFEK" was incorrectly used as acronym for "File Encryption Key Encryption Key". This replaces all occurences with "FEKEK". Signed-off-by: Felix Eckhofer --- Documentation/security/keys/ecryptfs.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation/security/keys/ecryptfs.rst b/Documentation/security/keys/ecryptfs.rst index 4920f3a8ea75..0e2be0a6bb6a 100644 --- a/Documentation/security/keys/ecryptfs.rst +++ b/Documentation/security/keys/ecryptfs.rst @@ -5,10 +5,10 @@ Encrypted keys for the eCryptfs filesystem ECryptfs is a stacked filesystem which transparently encrypts and decrypts each file using a randomly generated File Encryption Key (FEK). -Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK) +Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEKEK) either in kernel space or in user space with a daemon called 'ecryptfsd'. In the former case the operation is performed directly by the kernel CryptoAPI -using a key, the FEFEK, derived from a user prompted passphrase; in the latter +using a key, the FEKEK, derived from a user prompted passphrase; in the latter the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order to support other mechanisms like public key cryptography, PKCS#11 and TPM based operations. @@ -22,12 +22,12 @@ by the userspace utility 'mount.ecryptfs' shipped with the package The 'encrypted' key type has been extended with the introduction of the new format 'ecryptfs' in order to be used in conjunction with the eCryptfs filesystem. Encrypted keys of the newly introduced format store an -authentication token in its payload with a FEFEK randomly generated by the +authentication token in its payload with a FEKEK randomly generated by the kernel and protected by the parent master key. In order to avoid known-plaintext attacks, the datablob obtained through commands 'keyctl print' or 'keyctl pipe' does not contain the overall -authentication token, which content is well known, but only the FEFEK in +authentication token, which content is well known, but only the FEKEK in encrypted form. The eCryptfs filesystem may really benefit from using encrypted keys in that the -- 2.17.1