* ext4 encryption trap @ 2016-08-29 10:08 Pavel Machek 2016-08-29 10:40 ` Bernd Schubert 0 siblings, 1 reply; 5+ messages in thread From: Pavel Machek @ 2016-08-29 10:08 UTC (permalink / raw) To: tytso, adilger.kernel, linux-ext4 Hi! You encrypt a directory -- sounds easy, right? Support is in 4.4 kernel, my machines run newer kernels than that. Encrypting root would be hard, but encrypting parts of data partition should be easy. Ok, lets follow howto... Need to do tune2fs. Right. Aha, still does not work, looks like I'll need to reboot. Hmm. Will not boot. Grub no longer recognizes my /data partition, and that's where new kernels are. Old kernels are in /boot, but those are now useless. Lets copy new kernel on machine using USB stick. Does not boot. Fun. tune2fs on root filesystem is useless, as it is too old. New one is ... on the data partition. Right. Ok, lets bring newer version of tune2fs in. "encryption" feature can not be cleared. Argh! Come on, I did not even create single encrypted directory on the partition. I want the damn bit to go off, so I can go back to working configuration. "Old kernels can not read encrypted files" sounds ok, but "old kernels can not mount filesystem at all" is not acceptable here :-(. Is there way to go back? Restoring 400GB from backups would not be fun :-(. On a related note, would it be possible to return some kind of error when encrypted directory is accessed without available keys? I use unison for backups/sync, and if I ever make a mistake of trying to sync in non-decrypted state, results would be very very bad... Thanks, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ext4 encryption trap 2016-08-29 10:08 ext4 encryption trap Pavel Machek @ 2016-08-29 10:40 ` Bernd Schubert 2016-08-29 10:49 ` Pavel Machek 0 siblings, 1 reply; 5+ messages in thread From: Bernd Schubert @ 2016-08-29 10:40 UTC (permalink / raw) To: Pavel Machek; +Cc: tytso, adilger.kernel, linux-ext4 On Monday, August 29, 2016 12:08:16 PM CEST Pavel Machek wrote: > Hi! > > You encrypt a directory -- sounds easy, right? Support is in 4.4 > kernel, my machines run newer kernels than that. Encrypting root would > be hard, but encrypting parts of data partition should be easy. > > Ok, lets follow howto... Need to do tune2fs. Right. Aha, still does > not work, looks like I'll need to reboot. > > Hmm. Will not boot. Grub no longer recognizes my /data partition, and > that's where new kernels are. Old kernels are in /boot, but those are > now useless. Lets copy new kernel on machine using USB stick. Does not > boot. Fun. > > tune2fs on root filesystem is useless, as it is too old. New one > is ... on the data partition. Right. Ok, lets bring newer version of > tune2fs in. "encryption" feature can not be cleared. > > Argh! Come on, I did not even create single encrypted directory on the > partition. I want the damn bit to go off, so I can go back to working > configuration. "Old kernels can not read encrypted files" sounds ok, > but "old kernels can not mount filesystem at all" is not acceptable > here :-(. > > Is there way to go back? Restoring 400GB from backups would not be fun I have not tried it myself, but this should work? debugfs -w -R "feature -encrypt" /dev/device (assuming the feature flag is called "encrypt") Cheers, Bernd ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ext4 encryption trap 2016-08-29 10:40 ` Bernd Schubert @ 2016-08-29 10:49 ` Pavel Machek 2016-08-29 11:36 ` Pavel Machek 0 siblings, 1 reply; 5+ messages in thread From: Pavel Machek @ 2016-08-29 10:49 UTC (permalink / raw) To: Bernd Schubert; +Cc: tytso, adilger.kernel, linux-ext4 On Mon 2016-08-29 12:40:24, Bernd Schubert wrote: > On Monday, August 29, 2016 12:08:16 PM CEST Pavel Machek wrote: > > Hi! > > > > You encrypt a directory -- sounds easy, right? Support is in 4.4 > > kernel, my machines run newer kernels than that. Encrypting root would > > be hard, but encrypting parts of data partition should be easy. > > > > Ok, lets follow howto... Need to do tune2fs. Right. Aha, still does > > not work, looks like I'll need to reboot. > > > > Hmm. Will not boot. Grub no longer recognizes my /data partition, and > > that's where new kernels are. Old kernels are in /boot, but those are > > now useless. Lets copy new kernel on machine using USB stick. Does not > > boot. Fun. > > > > tune2fs on root filesystem is useless, as it is too old. New one > > is ... on the data partition. Right. Ok, lets bring newer version of > > tune2fs in. "encryption" feature can not be cleared. > > > > Argh! Come on, I did not even create single encrypted directory on the > > partition. I want the damn bit to go off, so I can go back to working > > configuration. "Old kernels can not read encrypted files" sounds ok, > > but "old kernels can not mount filesystem at all" is not acceptable > > here :-(. > > > > Is there way to go back? Restoring 400GB from backups would not be fun > > I have not tried it myself, but this should work? > > debugfs -w -R "feature -encrypt" /dev/device > > > (assuming the feature flag is called "encrypt") Yes, I figured out debugfs could be used to do this. (But thanks for the command line). If all tunefs did was to set the bit, this is safe. Is it? [I guess I can do fsck -fn, debugfs, fsck -fn; if it passes I should be safe, if it does not I can turn +encrypt back on, and would be no worse than I'm now. Hmm?] Thanks, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ext4 encryption trap 2016-08-29 10:49 ` Pavel Machek @ 2016-08-29 11:36 ` Pavel Machek 2016-08-29 12:46 ` Pavel Machek 0 siblings, 1 reply; 5+ messages in thread From: Pavel Machek @ 2016-08-29 11:36 UTC (permalink / raw) To: Bernd Schubert; +Cc: tytso, adilger.kernel, linux-ext4 On Mon 2016-08-29 12:49:06, Pavel Machek wrote: > On Mon 2016-08-29 12:40:24, Bernd Schubert wrote: > > On Monday, August 29, 2016 12:08:16 PM CEST Pavel Machek wrote: > > > Hi! > > > > > > You encrypt a directory -- sounds easy, right? Support is in 4.4 > > > kernel, my machines run newer kernels than that. Encrypting root would > > > be hard, but encrypting parts of data partition should be easy. > > > > > > Ok, lets follow howto... Need to do tune2fs. Right. Aha, still does > > > not work, looks like I'll need to reboot. > > > > > > Hmm. Will not boot. Grub no longer recognizes my /data partition, and > > > that's where new kernels are. Old kernels are in /boot, but those are > > > now useless. Lets copy new kernel on machine using USB stick. Does not > > > boot. Fun. > > > > > > tune2fs on root filesystem is useless, as it is too old. New one > > > is ... on the data partition. Right. Ok, lets bring newer version of > > > tune2fs in. "encryption" feature can not be cleared. > > > > > > Argh! Come on, I did not even create single encrypted directory on the > > > partition. I want the damn bit to go off, so I can go back to working > > > configuration. "Old kernels can not read encrypted files" sounds ok, > > > but "old kernels can not mount filesystem at all" is not acceptable > > > here :-(. > > > > > > Is there way to go back? Restoring 400GB from backups would not be fun > > > > I have not tried it myself, but this should work? > > > > debugfs -w -R "feature -encrypt" /dev/device > > > > > > (assuming the feature flag is called "encrypt") > > Yes, I figured out debugfs could be used to do this. (But thanks for > the command line). If all tunefs did was to set the bit, this is > safe. Is it? > > [I guess I can do fsck -fn, debugfs, fsck -fn; if it passes I should > be safe, if it does not I can turn +encrypt back on, and would be no > worse than I'm now. Hmm?] Ok, done, fsck passed, I'm back to previous configuration. I guess I was too optimistic. Using ext4 encryption would require at least new e2fsprogs at the root filesystem, which was something I was hoping to avoid. Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ext4 encryption trap 2016-08-29 11:36 ` Pavel Machek @ 2016-08-29 12:46 ` Pavel Machek 0 siblings, 0 replies; 5+ messages in thread From: Pavel Machek @ 2016-08-29 12:46 UTC (permalink / raw) To: Bernd Schubert; +Cc: tytso, adilger.kernel, linux-ext4 On Mon 2016-08-29 13:36:55, Pavel Machek wrote: > On Mon 2016-08-29 12:49:06, Pavel Machek wrote: > > On Mon 2016-08-29 12:40:24, Bernd Schubert wrote: > > > On Monday, August 29, 2016 12:08:16 PM CEST Pavel Machek wrote: > > > > Hi! > > > > > > > > You encrypt a directory -- sounds easy, right? Support is in 4.4 > > > > kernel, my machines run newer kernels than that. Encrypting root would > > > > be hard, but encrypting parts of data partition should be easy. > > > > > > > > Ok, lets follow howto... Need to do tune2fs. Right. Aha, still does > > > > not work, looks like I'll need to reboot. > > > > > > > > Hmm. Will not boot. Grub no longer recognizes my /data partition, and > > > > that's where new kernels are. Old kernels are in /boot, but those are > > > > now useless. Lets copy new kernel on machine using USB stick. Does not > > > > boot. Fun. > > > > > > > > tune2fs on root filesystem is useless, as it is too old. New one > > > > is ... on the data partition. Right. Ok, lets bring newer version of > > > > tune2fs in. "encryption" feature can not be cleared. > > > > > > > > Argh! Come on, I did not even create single encrypted directory on the > > > > partition. I want the damn bit to go off, so I can go back to working > > > > configuration. "Old kernels can not read encrypted files" sounds ok, > > > > but "old kernels can not mount filesystem at all" is not acceptable > > > > here :-(. > > > > > > > > Is there way to go back? Restoring 400GB from backups would not be fun > > > > > > I have not tried it myself, but this should work? > > > > > > debugfs -w -R "feature -encrypt" /dev/device > > > > > > > > > (assuming the feature flag is called "encrypt") > > > > Yes, I figured out debugfs could be used to do this. (But thanks for > > the command line). If all tunefs did was to set the bit, this is > > safe. Is it? > > > > [I guess I can do fsck -fn, debugfs, fsck -fn; if it passes I should > > be safe, if it does not I can turn +encrypt back on, and would be no > > worse than I'm now. Hmm?] > > Ok, done, fsck passed, I'm back to previous configuration. > > I guess I was too optimistic. Using ext4 encryption would require at > least new e2fsprogs at the root filesystem, which was something I was > hoping to avoid. I'm trying to make some experiments on USB stick... Hmm. I guess error handling in add_key should be improved? pavel@duo:/mnt$ ~/g/e2fsprogs/misc/e4crypt add_key -S salt.txt Invalid salt: salt.txt pavel@duo:/mnt$ ~/g/e2fsprogs/misc/e4crypt add_key -S /media/pavel/8EE9-E39F/salt.txt EXT4_IOC_GET_ENCRYPTION_PWSALT: Inappropriate ioctl for device pavel@duo:/mnt$ (The first one is probably ok, but why it accepts path instead of hex value?) Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-08-29 12:47 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-29 10:08 ext4 encryption trap Pavel Machek 2016-08-29 10:40 ` Bernd Schubert 2016-08-29 10:49 ` Pavel Machek 2016-08-29 11:36 ` Pavel Machek 2016-08-29 12:46 ` Pavel Machek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).