google / fscrypt Goto Github PK
View Code? Open in Web Editor NEWGo tool for managing Linux filesystem encryption
License: Apache License 2.0
Go tool for managing Linux filesystem encryption
License: Apache License 2.0
As I was looking into reproducing #93 in a VM I hit this bug.
Steps:
passwd
to change that user's password.VM: https://drive.google.com/open?id=1soLFKOoFHK47d31RCn6qmJB7AORe2ysg
Uncompress (using xz, no tarball) and launch using virt-manager. Fedora 26 settings. Two users: root and qemu, both have the same password: qemu. User qemu's home is encrypted, PAM unlocking is setup.
Edit: changing the passphrase manually to match the new login password using fscrypt metadata
results in a working setup again.
fscrypt locks keys in memory for security. However, if the user's limit on the total amount of memory (see yours by running ulimit -l
) is exceeded, creating a new key fails with EAGAIN
. This is because the mmap
syscall returns EAGAIN
when the memory limit is reached (see docs).
The returned error message of "resource temporarily unavailable" is not very helpful. A better message should be returned and an explanation printed.
As described in https://github.com/google/fscrypt#i-can-still-see-files-or-filenames-after-running-fscrypt-purge-mountpoint encryption keys are still available in kernel cache after issuing fscrypt purge
command.
There is however option to clear kernel cache by changing /proc/sys/vm/drop_caches
value to 2
or 3
. That means fscrypt purge
could send something like sync && echo 3 > /proc/sys/vm/drop_caches
and the cache will be cleared. The downside is that fscrypt purge
would need execution with sudo
.
Note that in encryptPath()
the policy should be deprovisioned on failure to set the appropriate policy. However, the actual deprovisioning is here. Note that this deprovisioning is unconditional, so fscrypt encrypt DIRECTORY
will never result in an unlocked directory.
As seen in #42, bugs in pam_fscrypt will crash the login process, making it very difficult to restore a buggy system. This is not desirable. We should catch all panics, log the stack trace, and return an error for the module.
Crashing the process calling into PAM is never desirable.
Fscrypt generates a reasonable set of defaults password hashing costs when creating /etc/fscrypt.conf
. However, the ramLimit
function is simply half the available system ram.
This poses a problem when using fscrypt on removable media. A password protector setup on a computer with a large amount of memory would be difficult to use on a computer with a small amount of memory. There is no real reason to consume multiple GiBs of RAM, the used memory just needs to not fit in any CPU caches.
Cryptsetup V2 uses a memory cost of 128MiB, which would be OK for any reasonable Linux system (Debian has a minimum memory of 128MiB on amd64
).
This change would be completely backwards compatible, only changing the generated values for new /etc/fscrypt.conf
files.
In the README.md
, there is a section about the dangers of enabling encryption. It is sort of causally mentioned that the system will fail to boot. This was fixed here, but many old version of grub are still hanging around.
Also, once you have a grub boot failure, it can be very hard to actually undo the encryption or update Grub. We might want to make the warning more explicit, or have an explicit check for the grub version.
The fscrypt tool should have a man page so that users can easily and locally find more information on how to use fscrypt. The man page should probably live in section 8 since fscrypt is mostly a system administration tool.
Currently fscrypt adds keys to session keyring (KEY_SPEC_SESSION_KEYRING). Applications started within systemd --user
instance have their own session keyring which means they would have no access to encrypted directories. To fix this we need add keys to user keyring (KEY_SPEC_USER_KEYRING) instead.
You can test it by invoking systemd-run --user keyctl show
,and check logs, the keyring is empty.
Using user keyring is recommended by systemd developers, see systemd/systemd#1299 (comment)
https://github.com/google/fscrypt#getting-encryption-not-enabled-on-an-ext4-filesystem
Note: It is actually possible to get GRUB to boot an encrypted ext4 filesystem. However, it requires GRUB 2.02 (NOT the 2.02 beta) to be installed as the bootloader. As this version was released in April 2017, most systems WILL FAIL TO BOOT with an ext4 encrypted boot directory
This information is not 100% accurate. grub 2.02 was tagged 2017-04-25: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e54c99aaff5e5f6f5d3b06028506c57e66d8ef77
Ext4 encryption patch landed 2017-06-29: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=734668238fcc0ef691a080839e04f33854fa133a so it's not part of 2.02 upstream release.
Debian cherry-picked this patch to their 2.02 package https://anonscm.debian.org/cgit/pkg-grub/grub.git/commit/?id=29c8a3e93ad5c37599ac3281e59a7452c7c23928 but not every distro did.
Just found this hard way with grub rescue shell ๐
In cmd/fscrypt/commands.go
, Protectors should be reverted if they are created. The reversion on failure is here. But this has a problem.
If the protector is selected (not created) in selectOrCreateProtector()
the protector will be reverted regardless on any error. This means a failure after selection can result in data loss. The documentation for selectOrCreateProtector()
is also wrong, leading to this confusion.
Right now fscrypt's integration tests rely on the environment variable TEST_FILESYSTEM_ROOT
being set. This variable should be set to the path of a filesystem which supports filesystem encryption, or make go
(or go test
) will fail.
This requirement should be documented better, or the integration tests should just not be run if TEST_FILESYSTEM_ROOT
is not set.
Document where design discussion should occur
With #54, the directory /dev/disk/by-uuid
and its contents are now necessary to establish cross filesystem links. This means use of these links now depends on a specific default udev rule, namely 60-persistent-storage.rules
. The source can be found in the systemd tree, eudev tree, and the old udev tree.
The documentation (probably part of #10) should explain this an other dependencies in a single section. It should also explain when these dependencies are necessary (build-time, run-time, link creation time, etc..).
I cannot spell. Get a linter that runs as part of the CI process that checks for spelling errors.
The fscrypt encrypt
subcommand reports that, <DIR> is now encrypted, unlocked, and ready for use.
but it doesn't actually unlock the directory:
$ mkdir -p encrypted && fscrypt encrypt encrypted/
Should we create a new protector? [y/N] y
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]:
Enter a name for the new protector: p1
Enter custom passphrase for protector "p1":
Confirm passphrase:
"encrypted/" is now encrypted, unlocked, and ready for use.
$ echo this is only a test > encrypted/test
-bash: encrypted/test: Required key not available
$ fscrypt status encrypted
"encrypted" is encrypted with fscrypt.
Policy: 9ac3aa2fa6413dd1
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
69845814cae88b44 No custom protector "p1"
Now I can unlock the directory and begin using it:
$ fscrypt unlock encrypted
Enter custom passphrase for protector "p1":
"encrypted" is now unlocked and ready for use.
$ echo this is only a test > encrypted/test
$ cat encrypted/test
this is only a test
Here is my encrypted directory status:
$ fscrypt status /home/ilius/test
"/home/ilius/test" is encrypted with fscrypt.
Policy: 44f05ee076fff2d7
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
99db526fab54e494 No custom protector "test"
fscrypt$ fscrypt unlock /home/ilius/test
fscrypt unlock: /home/ilius/test: this file or directory is already unlocked
And here is the error I get when I try to move a file from a normal (unencrypted) directory to my encrypted directory:
mv: cannot move '../test.txt' to './test.txt': Operation not permitted
Also graphically (with Caja file manager) I get "Error moving file: Operation not permitted".
Copy works, both graphically and command line.
Also deleting the original file works (with the same user)
OS: Linux Mint 18.1 Serena
Kernel: Linux 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Tested with latest fscrypt (commit cedbe0e)
Support for AES-128 encryption modes was added in torvalds/linux@b7e7cf7. This should be reflected in fscrypt (similar to google/fscryptctl#5). We should update our vendored copy of https://github.com/golang/sys/tree/master/unix which added 4.13 support in golang/sys@31e1faf.
fscrypt.conf
is currently formatted as a JSON file. This is undesirable for many reasons.
During the initial design process for fscrypt, we considered using TOML as the config format (like rust does). The main reason we didn't is because TOML is less common than JSON and because the main go library had a legally problematic license.
Now that TOML is used by toolchain programs like dep
and the licensing problem is fixed, TOML makes more sense.
The following will need to be completed to make this change:
fscrypt.conf
as TOMLfscrypt.conf
files as TOMLfscrypt.conf
filesThe Makefile contains logic to build a version string by using git describe --tags
and inject it into the fscrypt build. This allows fscrypt --version
to print a version string. However, the version information can't be gathered when building from the release tarballs since there's no git tree available and fscrypt --version
doesn't include any version information in the output.
As mentioned in the README
, the idea of protecting directories with a login passphrase is incomplete without a PAM module. This PAM module will need to support the following functionality:
The road map for changes to incorporate the PAM module is as follows:
pam
package to support the additional functionality.actions
package making unlocking Policies easier. See #3 and #18.so
.I noticed that currently fscrypt treats directories mounted on existing filesystem with --bind
option as separate mountpoints.
That means it needs executing fscrypt setup MOUNTPOINT
on every directory mounted this way to make encryption available. Moreover it can create confusion when encrypted directory was created before bind-mounts were used:
fscrypt setup /
fscrypt encrypt /home/xxx
(creates policy under /.fscrypt
)
bind-mount /home to /home
fscrypt setup /home
fscrypt status /home/xxx
(searches policy under /home/.fscrypt
)
In that case user have to manually copy fscrypt metadata from /.fscrypt
to /home/.fscrypt
During build I am now seeing the following error:
make: arch: Command not found
go build --ldflags '-s -w -X "main.version=v0.2.3-2-gbd2ca31" -X "main.buildTime=Wed Feb 14 13:21:43 -03 2018" -extldflags "-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"' -o bin/fscrypt ./cmd/fscrypt
go build -buildmode=c-shared --ldflags '-s -w -X "main.version=v0.2.3-2-gbd2ca31" -X "main.buildTime=Wed Feb 14 13:21:43 -03 2018" -extldflags "-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"' -o bin/pam_fscrypt.so ./pam_fscrypt
rm -f bin/pam_fscrypt.h
The build succeeds nonetheless. Is this expected? It might be related to commit 3326520
After adding pam_fscrypt module to pam auth config it crashes login process after providing password:
systemd[1]: Started Getty on tty2.
systemd-coredump[14940]: Process 1777 (login) of user 0 dumped core.
Stack trace of thread 1777:
#0 0x000064ee5d0edc64 n/a (pam_fscrypt.so)
#1 0x000064ee5d0d5f4b n/a (pam_fscrypt.so)
#2 0x000064ee5d0c2180 n/a (pam_fscrypt.so)
#3 0x000064ee5d0e8d7e n/a (pam_fscrypt.so)
#4 0x000064ee5d0ea082 n/a (pam_fscrypt.so)
my pam sytem-login:
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth required pam_unix.so try_first_pass
auth optional pam_permit.so
auth required pam_env.so
auth optional pam_fscrypt.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session optional pam_fscrypt.so drop_caches lock_policies debug
session optional pam_loginuid.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
my pam system-auth:
#%PAM-1.0
auth required pam_unix.so try_first_pass
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass sha512 shadow
password optional pam_permit.so
password optional pam_fscrypt.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
I didn't setup any passwords or protectors yet. Only run fscrypt setup
System: Archlinux
Kernel: 4.12.8
I noticed that logged user can view files from other logged users encrypted directories even as they see encrypted directory status as locked and don't have relevant key in their keyring. Is it side effect of linking user keyring to root's? I tested this on Archlinux with fscrypt --version 0.2.1-1-ga949b13
while logging in with VT console. Also all users in Arch share the same GID "users" by default. After user logout directory is properly visible as encrypted.
Encrypted directory status viewed as user2:
$ fscrypt status /home/user1
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 No login protector for user1
User2 keyring:
$ keyctl show
Session Keyring
168271410 --alswrv 1002 1002 keyring: _ses
840784887 --alswrv 1002 65534 \_ keyring: _uid.1002
800661253 --alsw-v 1002 1002 \_ logon: ext4:13cb92d62226353b
Encrypted directory view as user2:
$ ls -al /home/user1/
total 12
drwxr-xr-x 2 user1 user1 4096 Sep 3 16:14 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
-rw-r--r-- 1 user1 user1 225 Sep 8 12:02 .bash_history
Encrypted file view as user2:
$ cat /home/user1/.bash_history
ls -al
fscrypt encrypt /home/user1
exit
exit
fscrypt status /home/user1/
exit
exit
exit
exit
chmod 644 .bash_history
logout
exit
exit
exit
Thank you for fixing issues I reported. Unfortunately I have another one.
I created user1
and created encrypted directory under his homedir using pam_passphrase
method.
I added following fscrypt pam session module to my pam config:
session optional pam_fscrypt.so drop_caches lock_policies debug
When user1
logs in encrypted directory is correctly unlocked but after logout it's still unlocked and avalaible in plaintext. user1
key is still available in root
keyring.
Invoking fscrypt purge
manually correctly removes user1
keys and lock encrypted directory.
fscrypt --version
Version:
0.2.1
pam_fscrypt[928]: OpenSession()
pam_fscrypt[928]: Session count for UID=995 updated to 1
pam_fscrypt[928]: Setreuid(995, 0) = <nil>
pam_fscrypt[928]: keyringID(_uid.995) = 382539738, <nil>
pam_fscrypt[928]: Setreuid(0, 995) = <nil>
pam_fscrypt[928]: KeyctlLink(382539738, -2) = <nil>
pam_fscrypt[928]: Setreuid(0, 0) = <nil>
pam_fscrypt[928]: keyringID(_uid.0) = 953047531, <nil>
pam_fscrypt[928]: KeyctlLink(953047531, -2) = <nil>
pam_fscrypt[928]: KeyctlLink(382539738, 953047531) = <nil>
pam_fscrypt[928]: Setting privileges to "sddm"
pam_fscrypt[928]: Setregid(-1, 995) = <nil>
pam_fscrypt[928]: Setgroups([995]) = <nil>
pam_fscrypt[928]: Setreuid(-1, 995) = <nil>
pam_fscrypt[928]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[928]: creating context for "sddm"
pam_fscrypt[928]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[928]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[928]: found 1 descriptor(s)
pam_fscrypt[928]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[928]: no protector to unlock: no PAM protector for UID=995 on "/"
pam_fscrypt[928]: Setting privileges to "root"
pam_fscrypt[928]: Setreuid(-1, 0) = <nil>
pam_fscrypt[928]: Setregid(-1, 0) = <nil>
pam_fscrypt[928]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[928]: pam func succeeded
pam_fscrypt[1024]: OpenSession()
pam_fscrypt[1024]: Session count for UID=1001 updated to 1
pam_fscrypt[1024]: KeyctlLink(620474931, 953047531) = <nil>
pam_fscrypt[1024]: Setting privileges to "user1"
pam_fscrypt[1024]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1024]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1024]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1024]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1024]: creating context for "user1"
pam_fscrypt[1024]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[1024]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1024]: found 1 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: Getting protector d61a252a36ed673d from option
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1024]: found 0 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1024]: found 1 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/home/.fscrypt/policies/ad38f36028a00960"
pam_fscrypt[1024]: got data for ad38f36028a00960 from "/home"
pam_fscrypt[1024]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1024]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1024]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1024]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[1024]: running passphrase hash for protector d61a252a36ed673d
pam_fscrypt[1024]: valid wrapping key for protector d61a252a36ed673d
pam_fscrypt[1024]: keyringID(session) = 285177417, <nil>
pam_fscrypt[1024]: KeyctlSearch(285177417, keyring, _uid.1001) = 620474931, <nil>
pam_fscrypt[1024]: KeyctlSearch(620474931, logon, ext4:ad38f36028a00960) = -1, required key not available
pam_fscrypt[1024]: keyringID(session) = 285177417, <nil>
pam_fscrypt[1024]: KeyctlSearch(285177417, keyring, _uid.1001) = 620474931, <nil>
pam_fscrypt[1024]: KeyctlAddKey(logon, ext4:ad38f36028a00960, <data>, 620474931) = 647228005, <nil>
pam_fscrypt[1024]: policy ad38f36028a00960 provisioned
pam_fscrypt[1024]: Setting privileges to "root"
pam_fscrypt[1024]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1024]: Setregid(-1, 0) = <nil>
pam_fscrypt[1024]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1024]: pam func succeeded
pam_fscrypt[1135]: OpenSession()
pam_fscrypt[1135]: Session count for UID=1001 updated to 2
pam_fscrypt[1135]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1135]: keyringID(_uid.1001) = 620474931, <nil>
pam_fscrypt[1135]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1135]: KeyctlLink(620474931, -2) = <nil>
pam_fscrypt[1135]: Setreuid(0, 0) = <nil>
pam_fscrypt[1135]: keyringID(_uid.0) = 953047531, <nil>
pam_fscrypt[1135]: KeyctlLink(953047531, -2) = <nil>
pam_fscrypt[1135]: KeyctlLink(620474931, 953047531) = <nil>
pam_fscrypt[1135]: Setting privileges to "user1"
pam_fscrypt[1135]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1135]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1135]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1135]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1135]: creating context for "user1"
pam_fscrypt[1135]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[1135]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1135]: found 1 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: Getting protector d61a252a36ed673d from option
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1135]: found 0 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1135]: found 1 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/home/.fscrypt/policies/ad38f36028a00960"
pam_fscrypt[1135]: got data for ad38f36028a00960 from "/home"
pam_fscrypt[1135]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1135]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1135]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1135]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[1135]: Setting privileges to "root"
pam_fscrypt[1135]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1135]: Setregid(-1, 0) = <nil>
pam_fscrypt[1135]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1135]: pam func failed: unlocking protector d61a252a36ed673d: AUTHTOK data missing: No module specific data is present
pam_fscrypt[1024]: CloseSession(map[debug:true drop_caches:true lock_policies:true])
pam_fscrypt[1024]: Session count for UID=1001 updated to 1
pam_fscrypt[1024]: count is 1 and we are not locking
pam_fscrypt[1024]: pam func succeeded
pam_fscrypt[936]: CloseSession(map[drop_caches:true lock_policies:true debug:true])
pam_fscrypt[936]: count is 0 and we are not locking
pam_fscrypt[936]: pam func failed: open /run/fscrypt/995.count: permission denied
I've added pam_fscrypt
to /etc/pam.d/system-auth
(on Arch Linux) as described in the README:
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
auth optional pam_fscrypt.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
password optional pam_fscrypt.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_fscrypt.so drop_caches lock_policies
With pam_fscrypt
enabled, I'm no longer in the wheel
group after login for some reason, which means I can no longer use sudo
. Instead, it adds me to the root group:
$ id
uid=1000(i3test) gid=1000(i3test) groups=1000(i3test),0(root)
With session optional pam_fscrypt.so
commented out:
$ id
uid=1000(i3test) gid=1000(i3test) groups=1000(i3test),985(wheel)
Log:
login[434]: pam_unix(login:session): session opened for user i3test by LOGIN(uid=0)
pam_fscrypt[434]: OpenSession()
pam_fscrypt[434]: Session count for UID=1000 updated to 1
pam_fscrypt[434]: KeyctlLink(483117192, 57274768) = <nil>
pam_fscrypt[434]: Setting privileges to "i3test"
pam_fscrypt[434]: Setregid(-1, 1000) = <nil>
pam_fscrypt[434]: Setgroups([1000 985]) = <nil>
pam_fscrypt[434]: Setreuid(-1, 1000) = <nil>
pam_fscrypt[434]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[434]: creating context for "i3test"
pam_fscrypt[434]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[434]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[434]: found 0 descriptor(s)
pam_fscrypt[434]: no protector to unlock: no PAM protector for UID=1000 on "/"
pam_fscrypt[434]: Setting privileges to "root"
pam_fscrypt[434]: Setreuid(-1, 0) = <nil>
pam_fscrypt[434]: Setregid(-1, 0) = <nil>
pam_fscrypt[434]: Setgroups([0]) = <nil>
pam_fscrypt[434]: pam func succeeded
login[434]: LOGIN ON tty1 BY i3test
login[434]: pam_unix(login:session): session closed for user i3test
pam_fscrypt[434]: CloseSession(map[drop_caches:true lock_policies:true debug:true])
pam_fscrypt[434]: Session count for UID=1000 updated to 0
pam_fscrypt[434]: locking polices protected with login protector
pam_fscrypt[434]: KeyctlLink(483117192, 57274768) = <nil>
pam_fscrypt[434]: Setting privileges to "i3test"
pam_fscrypt[434]: Setregid(-1, 1000) = <nil>
pam_fscrypt[434]: Setgroups([1000 985]) = <nil>
pam_fscrypt[434]: Setreuid(-1, 1000) = <nil>
pam_fscrypt[434]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[434]: creating context for "i3test"
pam_fscrypt[434]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[434]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[434]: found 0 descriptor(s)
pam_fscrypt[434]: nothing to lock: no PAM protector for UID=1000 on "/"
pam_fscrypt[434]: Setting privileges to "root"
pam_fscrypt[434]: Setreuid(-1, 0) = <nil>
pam_fscrypt[434]: Setregid(-1, 0) = <nil>
pam_fscrypt[434]: Setgroups([0]) = <nil>
pam_fscrypt[434]: dropping appropriate filesystem caches at session close
pam_fscrypt[434]: syncing changes to filesystem
pam_fscrypt[434]: freeing reclaimable inodes and dentries
pam_fscrypt[434]: pam func succeeded
kernel: login (434): drop_caches: 2
Any ideas? :)
By default, protectors with type pam_passphrase
have their metadata stored at the filesystem root. This is to make sure the login protectors are updated when the user's passphrase changes.
This can be unexpected as metadata is normally stored on entirely on the filesystem containing the encrypted directory. The current documentation/man pages should note how this works.
Many of the tests for fscrypt have a dependency on the environment. The either require
TEST_FILESYSTEM_ROOT
be set to the root an ext4 filesystem for testing.pam_fscrypt.so
be installed.To fix all this, we will add a command to setup the environment for integration tests, and skip the integration tests if the environment is not setup.
The README.md
currently does not match reality, they should be fixed (similar to google/fscryptctl#6). We may want some way to autogenerate the documents to make the updating process easier.
Fscrypt is intended to replace eCryptfs as the implementation for home directory encryption in Ubuntu.
Tyler Hicks will be the main POC at Canonical
fscrypt --version
Version:
0.2.0-12-gfe92c00
fscrypt encrypt --verbose /home/bbb
Reading config from "/etc/fscrypt.conf"
/home/bbb is on ext4 filesystem "/home" (/dev/sda2)
ensuring /home/bbb is an empty and readable directory
ensuring /home/bbb supports encryption and filesystem is using fscrypt
creating policy for "/home/bbb"
listing descriptors in "/home/.fscrypt/protectors"
found 0 descriptor(s)
listing descriptors in "/.fscrypt/protectors"
found 0 descriptor(s)
adding additional ProtectorOptions
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
using source: pam_passphrase
using name:
creating login protector on "/" instead of "/home"
listing descriptors in "/.fscrypt/protectors"
found 0 descriptor(s)
KeyFunc(login protector for non-root-user, false)
Enter login passphrase for non-root-user:
Checking login token for non-root-user
running passphrase hash for protector 1a4115c26b47168e
writing metadata to "/.fscrypt/protectors/1a4115c26b47168e"
policy on /home
Filsystem: ext4
Options: [rw nosuid nodev noexec noatime stripe=32708 data=ordered]
Device: /dev/sda2
protector on /
Filsystem: ext4
Options: [rw noatime errors=remount-ro data=ordered]
Device: /dev/sda1
successfully read metadata from "/.fscrypt/protectors/1a4115c26b47168e"
blkid_evaluate_spec("/dev/sda1", <cache>) = "/dev/sda1"
blkid_get_tag_value(<cache>, UUID, /dev/sda1) =
could not remove metadata at "/.fscrypt/protectors/1a4115c26b47168e.link"
successfully removed metadata at "/.fscrypt/protectors/1a4115c26b47168e"
fscrypt encrypt: filesystem /: no UUID: system error: cannot create filesystem link
/dev/sda1
is "/"
with encryption feature disabled
/dev/sda2
is "/home"
with encryption feature enabled
/home/bbb
is owned by non-root-user
Directory is successfully encrypted by non-root-user
using custom_passphrase
method.
Directory is successfully encrypted by root
while owned by root
using pam_passphrase
method.
I noticed that when using custom_passphrase
fscrypt policy is saved in /home/.fscrypt
while using pam_passphrase
it tries to save it under /.fscrypt
which fails.
As of right now, Policies can only be unlocked by passing OptionFunc
and KeyFunc
callbacks. This works in most cases. However, if there are multiple policies protected with the same protector, then the KeyFunc
must be called multiple times to unlock them all.
This could be solved by adding an additional unlock method on the Policy struct.
Hello,
We need to specify an other path for /etc/fscrypt.conf , as parameter to each command.
Regards,
Nicolas
When following the build instructions in the readme, I got stuck at:
go get -d github.com/google/fscrypt
It comes back with:
can't load package: package github.com/google/fscrypt: no buildable Go source files in /home/pp/go/src/github.com/google/fscrypt
($GOROOT is /home/pp/go/root
and $GOPATH is /home/pp/go
here.)
/home/pp/go/src/github.com/google/fscrypt
does contain the cloned contents of this repo.
The dep
tool is now ready for production use.
It will greatly simplify a lot of our build rules, as well as reducing our overhead when dep is absorbed into the golang toolchain.
For example, our go-tools
build rule can be replaced with required
build rules in Gopkg.toml
.
After updating to revision bd2ca31 my previously working fscrypt setup started failing.
Steps:
Home directory is left in unlocked state after this, so pam_fscrypt.so
is partially working. Removing all pam_fscrypt.so
instances from /etc/pam.d/system-auth
and /etc/pam.d/system-login
results in successful login (if home directory is in unlocked state, which it is after at least one failed attempt).
Reverting to revision 141265f solves the issue and logins work again.
Non-encrypted logins do work even with pam_fscrypt.so
enabled (my root home is not encrypted). Logs with debug
option in all pam_fscrypt.so
instances:
Look at pam_fscrypt[11273]
for instance:
Fscrypt has versioning in the Makefile and with --version
. Should just be a badge or something.
Test case:
sudo echo lol
Result:
[sudo] password for seba:
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7fa539940f11]
runtime stack:
runtime.throw(0x7fa53576536c, 0x2a)
/usr/lib/go/src/runtime/panic.go:605 +0x97
runtime.sigpanic()
/usr/lib/go/src/runtime/signal_unix.go:351 +0x2bc
goroutine 17 [syscall, locked to thread]:
runtime.cgocall(0x7fa53575b580, 0xc4200c1cb8, 0x29)
/usr/lib/go/src/runtime/cgocall.go:132 +0xea fp=0xc4200c1c88 sp=0xc4200c1c48 pc=0x7fa5355f374a
github.com/google/fscrypt/pam._Cfunc_copyIntoSecret(0x0, 0x0)
github.com/google/fscrypt/pam/_obj/_cgo_gotypes.go:106 +0x4c fp=0xc4200c1cb8 sp=0xc4200c1c88 pc=0x7fa53571b70c
github.com/google/fscrypt/pam.(*Handle).SetSecret.func1(0x0, 0x7fa53571c7a1)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam/pam.go:98 +0x62 fp=0xc4200c1cf0 sp=0xc4200c1cb8 pc=0x7fa53571cfc2
github.com/google/fscrypt/pam.(*Handle).SetSecret(0xc42000c9e0, 0x7fa53575dfc3, 0xf, 0x0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam/pam.go:98 +0x2d fp=0xc4200c1d38 sp=0xc4200c1cf0 pc=0x7fa53571c65d
main.Authenticate(0xc42000c9e0, 0xc4200108a0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/pam_fscrypt.go:75 +0x256 fp=0xc4200c1da8 sp=0xc4200c1d38 pc=0x7fa5357576c6
main.RunPamFunc(0x7fa535a01df8, 0x55af85c4b080, 0x0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/run_fscrypt.go:82 +0x20c fp=0xc4200c1e40 sp=0xc4200c1da8 pc=0x7fa53575915c
main.pam_sm_authenticate(0x55af85c4b080, 0x8000, 0x0, 0xc400000008)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/pam_fscrypt.go:262 +0x4b fp=0xc4200c1e78 sp=0xc4200c1e40 pc=0x7fa535758dab
main._cgoexpwrap_058fc3b736e8_pam_sm_authenticate(0x55af85c4b080, 0x8000, 0x0, 0x0)
github.com/google/fscrypt/pam_fscrypt/_obj/_cgo_gotypes.go:62 +0x47 fp=0xc4200c1ea8 sp=0xc4200c1e78 pc=0x7fa5357571a7
runtime.call32(0x0, 0x7fff085bf0e8, 0x7fff085bf180, 0x20)
/usr/lib/go/src/runtime/asm_amd64.s:509 +0x3d fp=0xc4200c1ed8 sp=0xc4200c1ea8 pc=0x7fa535646f7d
runtime.cgocallbackg1(0x0)
/usr/lib/go/src/runtime/cgocall.go:305 +0x1a0 fp=0xc4200c1f58 sp=0xc4200c1ed8 pc=0x7fa5355f3b00
runtime.cgocallbackg(0x0)
/usr/lib/go/src/runtime/cgocall.go:187 +0x95 fp=0xc4200c1fc0 sp=0xc4200c1f58 pc=0x7fa5355f38c5
runtime.cgocallback_gofunc(0x0, 0x0, 0x0, 0x0)
/usr/lib/go/src/runtime/asm_amd64.s:762 +0x9a fp=0xc4200c1fe0 sp=0xc4200c1fc0 pc=0x7fa53564858a
runtime.goexit()
/usr/lib/go/src/runtime/asm_amd64.s:2337 +0x1 fp=0xc4200c1fe8 sp=0xc4200c1fe0 pc=0x7fa535649801
[1] 4513 abort sudo echo lol
When trying to do go get github.com/google/fscrypt
on macOS, I get the following error:
# github.com/google/fscrypt/metadata
metadata/constants.go:31: undefined: unix.FS_KEY_DESCRIPTOR_SIZE
metadata/constants.go:31: const initializer 2 * unix.FS_KEY_DESCRIPTOR_SIZE is not a constant
metadata/constants.go:39: undefined: unix.FS_MAX_KEY_SIZE
metadata/policy.go:49: undefined: unix.FscryptPolicy
metadata/policy.go:74: undefined: unix.FS_POLICY_FLAGS_PAD_4
metadata/policy.go:74: undefined: unix.FS_POLICY_FLAGS_PAD_8
metadata/policy.go:75: undefined: unix.FS_POLICY_FLAGS_PAD_16
metadata/policy.go:75: undefined: unix.FS_POLICY_FLAGS_PAD_32
metadata/policy.go:88: undefined: unix.FscryptPolicy
metadata/policy.go:89: undefined: unix.FS_IOC_GET_ENCRYPTION_POLICY
metadata/policy.go:89: too many errors
To make it clearer that building will only work on linux, a build constraint should be added the the files.
An implementation of Argon2id has made it into x/crypto!!!
We should switch over to this as it would get rid of any dependency on libargon2 and potentially increase performance. I'll post more perf info when I have a chance to prototype.
The PointerSlice()
function, added by 0b643ea, is causing build failures on 32 bit architectures (verified on armhf and i386 in Ubuntu Artful). Here's the relevant snippet from the build log:
src/github.com/google/fscrypt/util/util.go:49: type [1073741824]unsafe.Pointer larger than address space
src/github.com/google/fscrypt/util/util.go:49: type [1073741824]unsafe.Pointer too large
Here's the code around line 49:
46 // PointerSlice takes a pointer to an array of pointers and views it as a slice
47 // of pointers. Note, indexing into this slice is unsafe.
48 func PointerSlice(ptr unsafe.Pointer) []unsafe.Pointer {
49 return (*[1 << 30]unsafe.Pointer)(ptr)[:]
50 }
I'm not sure how stable these links will be longterm but here are links to the full build logs:
Reported here, reproduced below:
I tested fscrypt with ext4, but I got this error:
root@pc1:/home/hamiltonp/Temp# fscrypt unlock mount/blah/
Enter custom passphrase for protector "test":
fscrypt unlock: permission denied: system error: could not insert key into the keyring
It persisted with password and keyfile method.
When using SDDM display manager, filenames are still available in plaintext after user logs out. It's weird as file contents remain encrypted. It doesn't happen if user logs in from console. It also happened before #57 was fixed and I executed fscrypt purge
command on exit from script.
fscrypt --version
Version:
0.2.1-9-gd6efd2a
Encrypted directory status before login:
# fscrypt status /home/user1/
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
Encrypted directory view before login:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 21:55 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 4KuOWyB8JVvtSjQ5wWBs+3UWsPIAtebNN03,X6EhRRD
-rw------- 1 user1 user1 51 Oct 1 21:55 7Gkj14k6MhIjhqp,YpbkzY0ZmW5CZ8NWfjtIUvuXVYN
drwxr-xr-x 4 user1 user1 4096 Oct 1 21:56 cYjQyFUTZ0aueNUy49A2gC6rqu+hr9YqG+J0YxZuogN
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 dUJK0ZvNyVKTTyY2aT4uwV70oxGuP4UpaaNTHH6f,PI
-rw------- 1 user1 user1 16 Oct 1 21:55 gaVOjkDXQ,epFAzE0U9oaiJ1RZegg,E46fybSNZxyZJ
drwxr-xr-x 12 user1 user1 4096 Oct 1 21:56 GhiHtwJJ6Udq2iruRTdskoM3gOuZO0qwD8Y7db9ViYK
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 mA2atU6muhkdiJ8+x11CDrSijNnTx6GymhU5fZQSIRM
drwx------ 2 user1 user1 4096 Oct 1 21:55 t3rX5lOToba9YDfnn,05o5AOxqs,8C+lilp7ayKpy5M
drwx------ 2 user1 user1 4096 Oct 1 21:55 xavy48JtAUzUGMEFTKfrwd,ckOdtF0I09FkVArPrg1N
user1 logs in:
# journalctl -f |grep fscrypt
pam_fscrypt[1162]: Authenticate()
pam_fscrypt[1162]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1162]: keyringID(_uid.1001) = 848488077, <nil>
pam_fscrypt[1162]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1162]: KeyctlLink(848488077, -2) = <nil>
pam_fscrypt[1162]: Setreuid(0, 0) = <nil>
pam_fscrypt[1162]: keyringID(_uid.0) = 698375302, <nil>
pam_fscrypt[1162]: KeyctlLink(698375302, -2) = <nil>
pam_fscrypt[1162]: KeyctlLink(848488077, 698375302) = <nil>
pam_fscrypt[1162]: Setting privileges to "user1"
pam_fscrypt[1162]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1162]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1162]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1162]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1162]: creating context for "user1"
pam_fscrypt[1162]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1162]: copying AUTHTOK for use in the session open
pam_fscrypt[1162]: Setting privileges to "root"
pam_fscrypt[1162]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1162]: Setregid(-1, 0) = <nil>
pam_fscrypt[1162]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1162]: pam func succeeded
pam_fscrypt[1162]: OpenSession()
pam_fscrypt[1162]: Session count for UID=1001 updated to 1
pam_fscrypt[1162]: KeyctlLink(848488077, 698375302) = <nil>
pam_fscrypt[1162]: Setting privileges to "user1"
pam_fscrypt[1162]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1162]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1162]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1162]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1162]: creating context for "user1"
pam_fscrypt[1162]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1162]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/policies/1
Encrypted directory view after user1 login:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 21:59 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 4 user1 user1 4096 Oct 1 21:56 .cache
drwxr-xr-x 12 user1 user1 4096 Oct 1 21:59 .config
drwx------ 2 user1 user1 4096 Oct 1 21:55 Desktop
-rw------- 1 user1 user1 16 Oct 1 21:55 .esd_auth
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 .gtkrc-2.0
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .kde4
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .local
drwx------ 2 user1 user1 4096 Oct 1 21:55 Temp
-rw------- 1 user1 user1 51 Oct 1 21:59 .Xauthority
user1 logout:
# journalctl -f |grep fscrypt
pam_fscrypt[1116]: CloseSession(map[debug:true lock_policies:true drop_caches:true])
pam_fscrypt[1116]: Session count for UID=1001 updated to 0
pam_fscrypt[1116]: locking polices protected with login protector
pam_fscrypt[1116]: KeyctlLink(7728276, 117932856) = <nil>
pam_fscrypt[1116]: Setting privileges to "user1"
pam_fscrypt[1116]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1116]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1116]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1116]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1116]: creating context for "user1"
pam_fscrypt[1116]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1116]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1116]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/home/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1116]: got data for 949471831dcf55cf from "/home"
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
Encrypted directory status after user1 logout:
# fscrypt status /home/user1/
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
Encrypted directory view after user1 logout:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 22:04 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 5 user1 user1 4096 Oct 1 22:05 .cache
drwxr-xr-x 12 user1 user1 4096 Oct 1 22:05 .config
drwx------ 2 user1 user1 4096 Oct 1 21:55 Desktop
-rw------- 1 user1 user1 16 Oct 1 21:55 .esd_auth
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 .gtkrc-2.0
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .kde4
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .local
drwx------ 2 user1 user1 4096 Oct 1 21:55 Temp
-rw------- 1 user1 user1 51 Oct 1 22:04 .Xauthority
I'm somehow paranoid, but I have a suggestion, include argon2 iterations as an option for encrypt/decrypt folders.
The Argon2 0~20160821-1+b1 (latest) command line shows:
$ argon2
Usage: argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r]
Password is read from stdin
Parameters:
salt The salt to use, at least 8 characters
-i Use Argon2i (this is the default)
-d Use Argon2d instead of Argon2i
-id Use Argon2id instead of Argon2i
-t N Sets the number of iterations to N (default = 3)
-m N Sets the memory usage of 2^N KiB (default 12)
-p N Sets parallelism to N threads (default 1)
-l N Sets hash output length to N bytes (default 32)
-e Output only encoded hash
-r Output only the raw bytes of the hash
-h Print argon2 usage
I have been using KeePass 2.36 for storing/backuping my passwords and keyfiles (I don't like it but I use for the argon2), it includes Argon2 algorithm but I can't extract anything of keyring files on the command line due to be a GUI only app (there is kpcli but is incompatible with its keyring files); it's simple to compute an approximate time by multiplying X iterations by a number to get a desired time to open such file using X threads.
I think this feature in the fscrypt could be very useful, even more with an interactive CPU time test option.
I noticed that fscrypt purge
correctly clear user keyring but it keeps it linked to root keyring
Before user unlocks encrypted directory:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
After user unlocks encrypted directory:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
462364131 --alsw-v 1001 1001 \_ logon: ext4:949471831dcf55cf
After fscrypt purge / --force --user=user1
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
Is it correct behavior? I think it should be back to clean state which means unlinking user keyring from root keyring.
Fscrypt uses the Key struct
to keep sensitive cryptographic data locked in memory and zeroed after use. However, this would be better spun out into a separate library (as it doesn't really deal much with fscrypt).
Luckily, @awnumar has written memguard a library for handling secrets in go. It does everything we want and more, but at the cost of requiring some changes to fscrypt (memguard.CatchInterrupt
and memguard.SafeExit
).
I'll need to do a more through read though of the code, but it looks good so far. In fact, the development of memguard incorporated things we learned with fscrypt. It really looks like this would be a strict improvement.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.