google / fscrypt Goto Github PK
View Code? Open in Web Editor NEWGo tool for managing Linux filesystem encryption
License: Apache License 2.0
fscrypt's People
Stargazers
Watchers
Forkers
mhalcrow acidburn0zzz kant dayedepps leepro buhijs alexxnica kryndex maximilianmayer maraino rleungx cdp1279 snero fristonio wjt antonblanchard ro9ueadmin vsharma13 awnumar embetrix cshari-zededa asdlei99 backwardn metaver5o vivekv96 ajb042487 sarathkumarsivan bluejeans117 yangboyd makerkrunner primeos anatol dnbrakk netdebug fstanis redsandro timrichardson alec-liu snifhex sharpzking neotim sanjaymsh librechain zhenshuitieniu fnoily ramcq 1crazymoney flowdalic methimpact tklauser gibeom-gwon majacq osandov mingkaili isabella232 qinghai5060 herdus0512 bhupesh-sharma orijtech damiankaczkowski lxbsz isolosun sbuisson-ddn cni-kbj cyberflamego ntpz daejungkim hustliyilin nhukc zodsilence adilger physolia yjuns aaronuniontech ibrahimtopbasi bferrarese test-mass-forker-org-1 irq0 nanu-c ebenali alvkeke rlxdf giggsoff yehudasa izouxv ilove-golang samwell-ho ct129infosec letrhee jovidong ghas-results darkcodemaster linux-tks scantist-ossops-m2 nordix dkg aryankaranfscrypt's Issues
Get Godoc working
Passphrase is not updated when changing password with passwd
As I was looking into reproducing #93 in a VM I hit this bug.
Steps:
- Setup PAM unlocking for ArchLinux as described in #77. Use login password.
- Login as the user whose home is encrypted. Verify that the home is unlocked.
- Use
passwdto change that user's password. - Logout.
- Log back in, confirm that the home directory is now unreadable.
VM: https://drive.google.com/open?id=1soLFKOoFHK47d31RCn6qmJB7AORe2ysg
Uncompress (using xz, no tarball) and launch using virt-manager. Fedora 26 settings. Two users: root and qemu, both have the same password: qemu. User qemu's home is encrypted, PAM unlocking is setup.
Edit: changing the passphrase manually to match the new login password using fscrypt metadata results in a working setup again.
Document memory failures
fscrypt locks keys in memory for security. However, if the user's limit on the total amount of memory (see yours by running ulimit -l) is exceeded, creating a new key fails with EAGAIN. This is because the mmap syscall returns EAGAIN when the memory limit is reached (see docs).
The returned error message of "resource temporarily unavailable" is not very helpful. A better message should be returned and an explanation printed.
Automatically clear cache when fscrypt purge is used
As described in https://github.com/google/fscrypt#i-can-still-see-files-or-filenames-after-running-fscrypt-purge-mountpoint encryption keys are still available in kernel cache after issuing fscrypt purge command.
There is however option to clear kernel cache by changing /proc/sys/vm/drop_caches value to 2 or 3. That means fscrypt purge could send something like sync && echo 3 > /proc/sys/vm/drop_caches and the cache will be cleared. The downside is that fscrypt purge would need execution with sudo.
Policies are never provisioned
Note that in encryptPath() the policy should be deprovisioned on failure to set the appropriate policy. However, the actual deprovisioning is here. Note that this deprovisioning is unconditional, so fscrypt encrypt DIRECTORY will never result in an unlocked directory.
Insulate PAM module against panicking
As seen in #42, bugs in pam_fscrypt will crash the login process, making it very difficult to restore a buggy system. This is not desirable. We should catch all panics, log the stack trace, and return an error for the module.
Crashing the process calling into PAM is never desirable.
Set a more reasonable ramLimit
Fscrypt generates a reasonable set of defaults password hashing costs when creating /etc/fscrypt.conf. However, the ramLimit function is simply half the available system ram.
This poses a problem when using fscrypt on removable media. A password protector setup on a computer with a large amount of memory would be difficult to use on a computer with a small amount of memory. There is no real reason to consume multiple GiBs of RAM, the used memory just needs to not fit in any CPU caches.
Cryptsetup V2 uses a memory cost of 128MiB, which would be OK for any reasonable Linux system (Debian has a minimum memory of 128MiB on amd64).
This change would be completely backwards compatible, only changing the generated values for new /etc/fscrypt.conf files.
Note the potential boot issues with enabling encryption
In the README.md, there is a section about the dangers of enabling encryption. It is sort of causally mentioned that the system will fail to boot. This was fixed here, but many old version of grub are still hanging around.
Also, once you have a grub boot failure, it can be very hard to actually undo the encryption or update Grub. We might want to make the warning more explicit, or have an explicit check for the grub version.
Add fscrypt man page
The fscrypt tool should have a man page so that users can easily and locally find more information on how to use fscrypt. The man page should probably live in section 8 since fscrypt is mostly a system administration tool.
Use user keyring instead of session keyring
Currently fscrypt adds keys to session keyring (KEY_SPEC_SESSION_KEYRING). Applications started within systemd --user instance have their own session keyring which means they would have no access to encrypted directories. To fix this we need add keys to user keyring (KEY_SPEC_USER_KEYRING) instead.
You can test it by invoking systemd-run --user keyctl show,and check logs, the keyring is empty.
Using user keyring is recommended by systemd developers, see systemd/systemd#1299 (comment)
[documentation] ext4 encryption and grub
https://github.com/google/fscrypt#getting-encryption-not-enabled-on-an-ext4-filesystem
Note: It is actually possible to get GRUB to boot an encrypted ext4 filesystem. However, it requires GRUB 2.02 (NOT the 2.02 beta) to be installed as the bootloader. As this version was released in April 2017, most systems WILL FAIL TO BOOT with an ext4 encrypted boot directory
This information is not 100% accurate. grub 2.02 was tagged 2017-04-25: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e54c99aaff5e5f6f5d3b06028506c57e66d8ef77
Ext4 encryption patch landed 2017-06-29: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=734668238fcc0ef691a080839e04f33854fa133a so it's not part of 2.02 upstream release.
Debian cherry-picked this patch to their 2.02 package https://anonscm.debian.org/cgit/pkg-grub/grub.git/commit/?id=29c8a3e93ad5c37599ac3281e59a7452c7c23928 but not every distro did.
Just found this hard way with grub rescue shell ๐
Protectors can be improperly reverted
In cmd/fscrypt/commands.go, Protectors should be reverted if they are created. The reversion on failure is here. But this has a problem.
If the protector is selected (not created) in selectOrCreateProtector() the protector will be reverted regardless on any error. This means a failure after selection can result in data loss. The documentation for selectOrCreateProtector() is also wrong, leading to this confusion.
Document integration tests
Right now fscrypt's integration tests rely on the environment variable TEST_FILESYSTEM_ROOT being set. This variable should be set to the path of a filesystem which supports filesystem encryption, or make go (or go test) will fail.
This requirement should be documented better, or the integration tests should just not be run if TEST_FILESYSTEM_ROOT is not set.
Update CONTRIBUTING to note use of GitHub issues for design discussion
Document where design discussion should occur
Document exact specifics of udev dependancy
With #54, the directory /dev/disk/by-uuid and its contents are now necessary to establish cross filesystem links. This means use of these links now depends on a specific default udev rule, namely 60-persistent-storage.rules. The source can be found in the systemd tree, eudev tree, and the old udev tree.
The documentation (probably part of #10) should explain this an other dependencies in a single section. It should also explain when these dependencies are necessary (build-time, run-time, link creation time, etc..).
Get spelling linter
I cannot spell. Get a linter that runs as part of the CI process that checks for spelling errors.
encrypt subcommand incorrectly reports that the directory is ready for use
The fscrypt encrypt subcommand reports that, <DIR> is now encrypted, unlocked, and ready for use. but it doesn't actually unlock the directory:
$ mkdir -p encrypted && fscrypt encrypt encrypted/
Should we create a new protector? [y/N] y
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]:
Enter a name for the new protector: p1
Enter custom passphrase for protector "p1":
Confirm passphrase:
"encrypted/" is now encrypted, unlocked, and ready for use.
$ echo this is only a test > encrypted/test
-bash: encrypted/test: Required key not available
$ fscrypt status encrypted
"encrypted" is encrypted with fscrypt.
Policy: 9ac3aa2fa6413dd1
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
69845814cae88b44 No custom protector "p1"
Now I can unlock the directory and begin using it:
$ fscrypt unlock encrypted
Enter custom passphrase for protector "p1":
"encrypted" is now unlocked and ready for use.
$ echo this is only a test > encrypted/test
$ cat encrypted/test
this is only a test
Can not move files/directories from unencrypted directory to encrypted directory
Here is my encrypted directory status:
$ fscrypt status /home/ilius/test
"/home/ilius/test" is encrypted with fscrypt.
Policy: 44f05ee076fff2d7
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
99db526fab54e494 No custom protector "test"
fscrypt$ fscrypt unlock /home/ilius/test
fscrypt unlock: /home/ilius/test: this file or directory is already unlocked
And here is the error I get when I try to move a file from a normal (unencrypted) directory to my encrypted directory:
mv: cannot move '../test.txt' to './test.txt': Operation not permitted
Also graphically (with Caja file manager) I get "Error moving file: Operation not permitted".
Copy works, both graphically and command line.
Also deleting the original file works (with the same user)
OS: Linux Mint 18.1 Serena
Kernel: Linux 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Tested with latest fscrypt (commit cedbe0e)
Add in mutation testing for fscrypt
Add support for new encryption modes in 4.13
Support for AES-128 encryption modes was added in torvalds/linux@b7e7cf7. This should be reflected in fscrypt (similar to google/fscryptctl#5). We should update our vendored copy of https://github.com/golang/sys/tree/master/unix which added 4.13 support in golang/sys@31e1faf.
Move `fscrypt.conf`'s format to TOML
fscrypt.conf is currently formatted as a JSON file. This is undesirable for many reasons.
- JSON is not a great format for a configuration file
- JSON does not support comments (without a dirty hack)
- JSON is designed to be human-readable not human-writable
During the initial design process for fscrypt, we considered using TOML as the config format (like rust does). The main reason we didn't is because TOML is less common than JSON and because the main go library had a legally problematic license.
Now that TOML is used by toolchain programs like dep and the licensing problem is fixed, TOML makes more sense.
The following will need to be completed to make this change:
- Add support for reading
fscrypt.confas TOML - Start generating all new
fscrypt.conffiles as TOML - Warn users who have JSON formatted
fscrypt.conffiles - Remove support for reading a JSON config file (would need to be done before 1.0)
Release tarballs don't retain version information
The Makefile contains logic to build a version string by using git describe --tags and inject it into the fscrypt build. This allows fscrypt --version to print a version string. However, the version information can't be gathered when building from the release tarballs since there's no git tree available and fscrypt --version doesn't include any version information in the output.
Add PAM module
As mentioned in the README, the idea of protecting directories with a login passphrase is incomplete without a PAM module. This PAM module will need to support the following functionality:
- Automatically re-wrapping a user's login protector when their PAM passphrase changes.
- Automatically unlocking directories on login
The road map for changes to incorporate the PAM module is as follows:
- (#21) Refactoring the
pampackage to support the additional functionality. - (#3, #18) Improvements to the
actionspackage making unlocking Policies easier. See #3 and #18 - (#25) Writing the PAM module itself. This will be a package exporting the correct identifiers built as a
.so. - (#25) Adding build support in the Makefile
- (#25) Updating the Documentation
[question] Should bind-mounts be treated as separate filesystems?
I noticed that currently fscrypt treats directories mounted on existing filesystem with --bind option as separate mountpoints.
That means it needs executing fscrypt setup MOUNTPOINT on every directory mounted this way to make encryption available. Moreover it can create confusion when encrypted directory was created before bind-mounts were used:
fscrypt setup /
fscrypt encrypt /home/xxx (creates policy under /.fscrypt)
bind-mount /home to /home
fscrypt setup /home
fscrypt status /home/xxx (searches policy under /home/.fscrypt)
In that case user have to manually copy fscrypt metadata from /.fscrypt to /home/.fscrypt
make: arch: Command not found
During build I am now seeing the following error:
make: arch: Command not found
go build --ldflags '-s -w -X "main.version=v0.2.3-2-gbd2ca31" -X "main.buildTime=Wed Feb 14 13:21:43 -03 2018" -extldflags "-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"' -o bin/fscrypt ./cmd/fscrypt
go build -buildmode=c-shared --ldflags '-s -w -X "main.version=v0.2.3-2-gbd2ca31" -X "main.buildTime=Wed Feb 14 13:21:43 -03 2018" -extldflags "-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"' -o bin/pam_fscrypt.so ./pam_fscrypt
rm -f bin/pam_fscrypt.h
The build succeeds nonetheless. Is this expected? It might be related to commit 3326520
pam_fscrypt auth module crashes login process
After adding pam_fscrypt module to pam auth config it crashes login process after providing password:
systemd[1]: Started Getty on tty2.
systemd-coredump[14940]: Process 1777 (login) of user 0 dumped core.
Stack trace of thread 1777:
#0 0x000064ee5d0edc64 n/a (pam_fscrypt.so)
#1 0x000064ee5d0d5f4b n/a (pam_fscrypt.so)
#2 0x000064ee5d0c2180 n/a (pam_fscrypt.so)
#3 0x000064ee5d0e8d7e n/a (pam_fscrypt.so)
#4 0x000064ee5d0ea082 n/a (pam_fscrypt.so)
my pam sytem-login:
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth required pam_unix.so try_first_pass
auth optional pam_permit.so
auth required pam_env.so
auth optional pam_fscrypt.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session optional pam_fscrypt.so drop_caches lock_policies debug
session optional pam_loginuid.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
my pam system-auth:
#%PAM-1.0
auth required pam_unix.so try_first_pass
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass sha512 shadow
password optional pam_permit.so
password optional pam_fscrypt.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
I didn't setup any passwords or protectors yet. Only run fscrypt setup
System: Archlinux
Kernel: 4.12.8
[bug] Logged users can view each other encrypted files in plaintext
I noticed that logged user can view files from other logged users encrypted directories even as they see encrypted directory status as locked and don't have relevant key in their keyring. Is it side effect of linking user keyring to root's? I tested this on Archlinux with fscrypt --version 0.2.1-1-ga949b13 while logging in with VT console. Also all users in Arch share the same GID "users" by default. After user logout directory is properly visible as encrypted.
Encrypted directory status viewed as user2:
$ fscrypt status /home/user1
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 No login protector for user1
User2 keyring:
$ keyctl show
Session Keyring
168271410 --alswrv 1002 1002 keyring: _ses
840784887 --alswrv 1002 65534 \_ keyring: _uid.1002
800661253 --alsw-v 1002 1002 \_ logon: ext4:13cb92d62226353b
Encrypted directory view as user2:
$ ls -al /home/user1/
total 12
drwxr-xr-x 2 user1 user1 4096 Sep 3 16:14 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
-rw-r--r-- 1 user1 user1 225 Sep 8 12:02 .bash_history
Encrypted file view as user2:
$ cat /home/user1/.bash_history
ls -al
fscrypt encrypt /home/user1
exit
exit
fscrypt status /home/user1/
exit
exit
exit
exit
chmod 644 .bash_history
logout
exit
exit
exit
[bug] pam_fscrypt doesn't locks and clear keyring after logout
Thank you for fixing issues I reported. Unfortunately I have another one.
I created user1 and created encrypted directory under his homedir using pam_passphrase method.
I added following fscrypt pam session module to my pam config:
session optional pam_fscrypt.so drop_caches lock_policies debug
When user1 logs in encrypted directory is correctly unlocked but after logout it's still unlocked and avalaible in plaintext. user1 key is still available in root keyring.
Invoking fscrypt purge manually correctly removes user1 keys and lock encrypted directory.
fscrypt --version
Version:
0.2.1
pam_fscrypt[928]: OpenSession()
pam_fscrypt[928]: Session count for UID=995 updated to 1
pam_fscrypt[928]: Setreuid(995, 0) = <nil>
pam_fscrypt[928]: keyringID(_uid.995) = 382539738, <nil>
pam_fscrypt[928]: Setreuid(0, 995) = <nil>
pam_fscrypt[928]: KeyctlLink(382539738, -2) = <nil>
pam_fscrypt[928]: Setreuid(0, 0) = <nil>
pam_fscrypt[928]: keyringID(_uid.0) = 953047531, <nil>
pam_fscrypt[928]: KeyctlLink(953047531, -2) = <nil>
pam_fscrypt[928]: KeyctlLink(382539738, 953047531) = <nil>
pam_fscrypt[928]: Setting privileges to "sddm"
pam_fscrypt[928]: Setregid(-1, 995) = <nil>
pam_fscrypt[928]: Setgroups([995]) = <nil>
pam_fscrypt[928]: Setreuid(-1, 995) = <nil>
pam_fscrypt[928]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[928]: creating context for "sddm"
pam_fscrypt[928]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[928]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[928]: found 1 descriptor(s)
pam_fscrypt[928]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[928]: no protector to unlock: no PAM protector for UID=995 on "/"
pam_fscrypt[928]: Setting privileges to "root"
pam_fscrypt[928]: Setreuid(-1, 0) = <nil>
pam_fscrypt[928]: Setregid(-1, 0) = <nil>
pam_fscrypt[928]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[928]: pam func succeeded
pam_fscrypt[1024]: OpenSession()
pam_fscrypt[1024]: Session count for UID=1001 updated to 1
pam_fscrypt[1024]: KeyctlLink(620474931, 953047531) = <nil>
pam_fscrypt[1024]: Setting privileges to "user1"
pam_fscrypt[1024]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1024]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1024]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1024]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1024]: creating context for "user1"
pam_fscrypt[1024]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[1024]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1024]: found 1 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: Getting protector d61a252a36ed673d from option
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1024]: found 0 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1024]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1024]: found 1 descriptor(s)
pam_fscrypt[1024]: successfully read metadata from "/home/.fscrypt/policies/ad38f36028a00960"
pam_fscrypt[1024]: got data for ad38f36028a00960 from "/home"
pam_fscrypt[1024]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1024]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1024]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1024]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1024]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1024]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[1024]: running passphrase hash for protector d61a252a36ed673d
pam_fscrypt[1024]: valid wrapping key for protector d61a252a36ed673d
pam_fscrypt[1024]: keyringID(session) = 285177417, <nil>
pam_fscrypt[1024]: KeyctlSearch(285177417, keyring, _uid.1001) = 620474931, <nil>
pam_fscrypt[1024]: KeyctlSearch(620474931, logon, ext4:ad38f36028a00960) = -1, required key not available
pam_fscrypt[1024]: keyringID(session) = 285177417, <nil>
pam_fscrypt[1024]: KeyctlSearch(285177417, keyring, _uid.1001) = 620474931, <nil>
pam_fscrypt[1024]: KeyctlAddKey(logon, ext4:ad38f36028a00960, <data>, 620474931) = 647228005, <nil>
pam_fscrypt[1024]: policy ad38f36028a00960 provisioned
pam_fscrypt[1024]: Setting privileges to "root"
pam_fscrypt[1024]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1024]: Setregid(-1, 0) = <nil>
pam_fscrypt[1024]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1024]: pam func succeeded
pam_fscrypt[1135]: OpenSession()
pam_fscrypt[1135]: Session count for UID=1001 updated to 2
pam_fscrypt[1135]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1135]: keyringID(_uid.1001) = 620474931, <nil>
pam_fscrypt[1135]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1135]: KeyctlLink(620474931, -2) = <nil>
pam_fscrypt[1135]: Setreuid(0, 0) = <nil>
pam_fscrypt[1135]: keyringID(_uid.0) = 953047531, <nil>
pam_fscrypt[1135]: KeyctlLink(953047531, -2) = <nil>
pam_fscrypt[1135]: KeyctlLink(620474931, 953047531) = <nil>
pam_fscrypt[1135]: Setting privileges to "user1"
pam_fscrypt[1135]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1135]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1135]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1135]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1135]: creating context for "user1"
pam_fscrypt[1135]: found ext4 filesystem "/" (/dev/sda1)
pam_fscrypt[1135]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1135]: found 1 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: Getting protector d61a252a36ed673d from option
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1135]: found 0 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/.fscrypt/protectors/d61a252a36ed673d"
pam_fscrypt[1135]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1135]: found 1 descriptor(s)
pam_fscrypt[1135]: successfully read metadata from "/home/.fscrypt/policies/ad38f36028a00960"
pam_fscrypt[1135]: got data for ad38f36028a00960 from "/home"
pam_fscrypt[1135]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1135]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1135]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1135]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1135]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1135]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[1135]: Setting privileges to "root"
pam_fscrypt[1135]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1135]: Setregid(-1, 0) = <nil>
pam_fscrypt[1135]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1135]: pam func failed: unlocking protector d61a252a36ed673d: AUTHTOK data missing: No module specific data is present
pam_fscrypt[1024]: CloseSession(map[debug:true drop_caches:true lock_policies:true])
pam_fscrypt[1024]: Session count for UID=1001 updated to 1
pam_fscrypt[1024]: count is 1 and we are not locking
pam_fscrypt[1024]: pam func succeeded
pam_fscrypt[936]: CloseSession(map[drop_caches:true lock_policies:true debug:true])
pam_fscrypt[936]: count is 0 and we are not locking
pam_fscrypt[936]: pam func failed: open /run/fscrypt/995.count: permission denied
pam_fscrypt messes up user groups during login
I've added pam_fscrypt to /etc/pam.d/system-auth (on Arch Linux) as described in the README:
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
auth optional pam_fscrypt.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
password optional pam_fscrypt.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_fscrypt.so drop_caches lock_policies
With pam_fscrypt enabled, I'm no longer in the wheel group after login for some reason, which means I can no longer use sudo. Instead, it adds me to the root group:
$ id
uid=1000(i3test) gid=1000(i3test) groups=1000(i3test),0(root)
With session optional pam_fscrypt.so commented out:
$ id
uid=1000(i3test) gid=1000(i3test) groups=1000(i3test),985(wheel)
Log:
login[434]: pam_unix(login:session): session opened for user i3test by LOGIN(uid=0)
pam_fscrypt[434]: OpenSession()
pam_fscrypt[434]: Session count for UID=1000 updated to 1
pam_fscrypt[434]: KeyctlLink(483117192, 57274768) = <nil>
pam_fscrypt[434]: Setting privileges to "i3test"
pam_fscrypt[434]: Setregid(-1, 1000) = <nil>
pam_fscrypt[434]: Setgroups([1000 985]) = <nil>
pam_fscrypt[434]: Setreuid(-1, 1000) = <nil>
pam_fscrypt[434]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[434]: creating context for "i3test"
pam_fscrypt[434]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[434]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[434]: found 0 descriptor(s)
pam_fscrypt[434]: no protector to unlock: no PAM protector for UID=1000 on "/"
pam_fscrypt[434]: Setting privileges to "root"
pam_fscrypt[434]: Setreuid(-1, 0) = <nil>
pam_fscrypt[434]: Setregid(-1, 0) = <nil>
pam_fscrypt[434]: Setgroups([0]) = <nil>
pam_fscrypt[434]: pam func succeeded
login[434]: LOGIN ON tty1 BY i3test
login[434]: pam_unix(login:session): session closed for user i3test
pam_fscrypt[434]: CloseSession(map[drop_caches:true lock_policies:true debug:true])
pam_fscrypt[434]: Session count for UID=1000 updated to 0
pam_fscrypt[434]: locking polices protected with login protector
pam_fscrypt[434]: KeyctlLink(483117192, 57274768) = <nil>
pam_fscrypt[434]: Setting privileges to "i3test"
pam_fscrypt[434]: Setregid(-1, 1000) = <nil>
pam_fscrypt[434]: Setgroups([1000 985]) = <nil>
pam_fscrypt[434]: Setreuid(-1, 1000) = <nil>
pam_fscrypt[434]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[434]: creating context for "i3test"
pam_fscrypt[434]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[434]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[434]: found 0 descriptor(s)
pam_fscrypt[434]: nothing to lock: no PAM protector for UID=1000 on "/"
pam_fscrypt[434]: Setting privileges to "root"
pam_fscrypt[434]: Setreuid(-1, 0) = <nil>
pam_fscrypt[434]: Setregid(-1, 0) = <nil>
pam_fscrypt[434]: Setgroups([0]) = <nil>
pam_fscrypt[434]: dropping appropriate filesystem caches at session close
pam_fscrypt[434]: syncing changes to filesystem
pam_fscrypt[434]: freeing reclaimable inodes and dentries
pam_fscrypt[434]: pam func succeeded
kernel: login (434): drop_caches: 2
Any ideas? :)
Document pam_passphrase weirdness
By default, protectors with type pam_passphrase have their metadata stored at the filesystem root. This is to make sure the login protectors are updated when the user's passphrase changes.
This can be unexpected as metadata is normally stored on entirely on the filesystem containing the encrypted directory. The current documentation/man pages should note how this works.
Improve tests that depend on the filesystem
Many of the tests for fscrypt have a dependency on the environment. The either require
- That
TEST_FILESYSTEM_ROOTbe set to the root an ext4 filesystem for testing. - That
pam_fscrypt.sobe installed.
To fix all this, we will add a command to setup the environment for integration tests, and skip the integration tests if the environment is not setup.
Update output to match reality
The README.md currently does not match reality, they should be fixed (similar to google/fscryptctl#6). We may want some way to autogenerate the documents to make the updating process easier.
Setup Travis CI
Integrate fscrypt in to Ubuntu 17.10 Artful
Fscrypt is intended to replace eCryptfs as the implementation for home directory encryption in Ubuntu.
Tyler Hicks will be the main POC at Canonical
Issue creating filesystem links with libblkid
fscrypt --version
Version:
0.2.0-12-gfe92c00
fscrypt encrypt --verbose /home/bbb
Reading config from "/etc/fscrypt.conf"
/home/bbb is on ext4 filesystem "/home" (/dev/sda2)
ensuring /home/bbb is an empty and readable directory
ensuring /home/bbb supports encryption and filesystem is using fscrypt
creating policy for "/home/bbb"
listing descriptors in "/home/.fscrypt/protectors"
found 0 descriptor(s)
listing descriptors in "/.fscrypt/protectors"
found 0 descriptor(s)
adding additional ProtectorOptions
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
using source: pam_passphrase
using name:
creating login protector on "/" instead of "/home"
listing descriptors in "/.fscrypt/protectors"
found 0 descriptor(s)
KeyFunc(login protector for non-root-user, false)
Enter login passphrase for non-root-user:
Checking login token for non-root-user
running passphrase hash for protector 1a4115c26b47168e
writing metadata to "/.fscrypt/protectors/1a4115c26b47168e"
policy on /home
Filsystem: ext4
Options: [rw nosuid nodev noexec noatime stripe=32708 data=ordered]
Device: /dev/sda2
protector on /
Filsystem: ext4
Options: [rw noatime errors=remount-ro data=ordered]
Device: /dev/sda1
successfully read metadata from "/.fscrypt/protectors/1a4115c26b47168e"
blkid_evaluate_spec("/dev/sda1", <cache>) = "/dev/sda1"
blkid_get_tag_value(<cache>, UUID, /dev/sda1) =
could not remove metadata at "/.fscrypt/protectors/1a4115c26b47168e.link"
successfully removed metadata at "/.fscrypt/protectors/1a4115c26b47168e"
fscrypt encrypt: filesystem /: no UUID: system error: cannot create filesystem link
/dev/sda1 is "/" with encryption feature disabled
/dev/sda2 is "/home" with encryption feature enabled
/home/bbb is owned by non-root-user
Directory is successfully encrypted by non-root-user using custom_passphrase method.
Directory is successfully encrypted by root while owned by root using pam_passphrase method.
I noticed that when using custom_passphrase fscrypt policy is saved in /home/.fscrypt while using pam_passphrase it tries to save it under /.fscrypt which fails.
Allow Policies to directly be unlocked with a Protector
As of right now, Policies can only be unlocked by passing OptionFunc and KeyFunc callbacks. This works in most cases. However, if there are multiple policies protected with the same protector, then the KeyFunc must be called multiple times to unlock them all.
This could be solved by adding an additional unlock method on the Policy struct.
add a custom path for /etc/fscrypt.conf
Hello,
We need to specify an other path for /etc/fscrypt.conf , as parameter to each command.
Regards,
Nicolas
Build instructions don't work
When following the build instructions in the readme, I got stuck at:
go get -d github.com/google/fscrypt
It comes back with:
can't load package: package github.com/google/fscrypt: no buildable Go source files in /home/pp/go/src/github.com/google/fscrypt
($GOROOT is /home/pp/go/root and $GOPATH is /home/pp/go here.)
/home/pp/go/src/github.com/google/fscrypt does contain the cloned contents of this repo.
Move dependency management to `dep`
The dep tool is now ready for production use.
It will greatly simplify a lot of our build rules, as well as reducing our overhead when dep is absorbed into the golang toolchain.
For example, our go-tools build rule can be replaced with required build rules in Gopkg.toml.
PAM login failure after update to bd2ca31
After updating to revision bd2ca31 my previously working fscrypt setup started failing.
Steps:
- Setup fscrypt (0.2.2.7.g141265f-1) + PAM unlocking using pam_fscrypt.so as described in #77 (comment)
- Logging in unlocks home and login succeeds (both console and GDM).
- Update to fscrypt 0.2.3.2.gbd2ca31-1 or 0.2.3.0.ge131cec-1 (both tested).
- Attempt to login results in
a. GDM appears to succeed and then goes back to login screen (no desktop shown).
b. Console redisplays login prompt, no shell prompt displayed.
Home directory is left in unlocked state after this, so pam_fscrypt.so is partially working. Removing all pam_fscrypt.so instances from /etc/pam.d/system-auth and /etc/pam.d/system-login results in successful login (if home directory is in unlocked state, which it is after at least one failed attempt).
Reverting to revision 141265f solves the issue and logins work again.
Non-encrypted logins do work even with pam_fscrypt.so enabled (my root home is not encrypted). Logs with debug option in all pam_fscrypt.so instances:
Look at pam_fscrypt[11273] for instance:
Add version in the README
Fscrypt has versioning in the Makefile and with --version. Should just be a badge or something.
Hitting Ctrl-C during sudo prompt causes a segmentation fault
Test case:
sudo echo lol- Hit Ctrl-C to cancel password input.
Result:
[sudo] password for seba:
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7fa539940f11]
runtime stack:
runtime.throw(0x7fa53576536c, 0x2a)
/usr/lib/go/src/runtime/panic.go:605 +0x97
runtime.sigpanic()
/usr/lib/go/src/runtime/signal_unix.go:351 +0x2bc
goroutine 17 [syscall, locked to thread]:
runtime.cgocall(0x7fa53575b580, 0xc4200c1cb8, 0x29)
/usr/lib/go/src/runtime/cgocall.go:132 +0xea fp=0xc4200c1c88 sp=0xc4200c1c48 pc=0x7fa5355f374a
github.com/google/fscrypt/pam._Cfunc_copyIntoSecret(0x0, 0x0)
github.com/google/fscrypt/pam/_obj/_cgo_gotypes.go:106 +0x4c fp=0xc4200c1cb8 sp=0xc4200c1c88 pc=0x7fa53571b70c
github.com/google/fscrypt/pam.(*Handle).SetSecret.func1(0x0, 0x7fa53571c7a1)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam/pam.go:98 +0x62 fp=0xc4200c1cf0 sp=0xc4200c1cb8 pc=0x7fa53571cfc2
github.com/google/fscrypt/pam.(*Handle).SetSecret(0xc42000c9e0, 0x7fa53575dfc3, 0xf, 0x0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam/pam.go:98 +0x2d fp=0xc4200c1d38 sp=0xc4200c1cf0 pc=0x7fa53571c65d
main.Authenticate(0xc42000c9e0, 0xc4200108a0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/pam_fscrypt.go:75 +0x256 fp=0xc4200c1da8 sp=0xc4200c1d38 pc=0x7fa5357576c6
main.RunPamFunc(0x7fa535a01df8, 0x55af85c4b080, 0x0, 0x0, 0x0)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/run_fscrypt.go:82 +0x20c fp=0xc4200c1e40 sp=0xc4200c1da8 pc=0x7fa53575915c
main.pam_sm_authenticate(0x55af85c4b080, 0x8000, 0x0, 0xc400000008)
/home/seba/.cache/pacaur/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/pam_fscrypt.go:262 +0x4b fp=0xc4200c1e78 sp=0xc4200c1e40 pc=0x7fa535758dab
main._cgoexpwrap_058fc3b736e8_pam_sm_authenticate(0x55af85c4b080, 0x8000, 0x0, 0x0)
github.com/google/fscrypt/pam_fscrypt/_obj/_cgo_gotypes.go:62 +0x47 fp=0xc4200c1ea8 sp=0xc4200c1e78 pc=0x7fa5357571a7
runtime.call32(0x0, 0x7fff085bf0e8, 0x7fff085bf180, 0x20)
/usr/lib/go/src/runtime/asm_amd64.s:509 +0x3d fp=0xc4200c1ed8 sp=0xc4200c1ea8 pc=0x7fa535646f7d
runtime.cgocallbackg1(0x0)
/usr/lib/go/src/runtime/cgocall.go:305 +0x1a0 fp=0xc4200c1f58 sp=0xc4200c1ed8 pc=0x7fa5355f3b00
runtime.cgocallbackg(0x0)
/usr/lib/go/src/runtime/cgocall.go:187 +0x95 fp=0xc4200c1fc0 sp=0xc4200c1f58 pc=0x7fa5355f38c5
runtime.cgocallback_gofunc(0x0, 0x0, 0x0, 0x0)
/usr/lib/go/src/runtime/asm_amd64.s:762 +0x9a fp=0xc4200c1fe0 sp=0xc4200c1fc0 pc=0x7fa53564858a
runtime.goexit()
/usr/lib/go/src/runtime/asm_amd64.s:2337 +0x1 fp=0xc4200c1fe8 sp=0xc4200c1fe0 pc=0x7fa535649801
[1] 4513 abort sudo echo lol
Add linux build constraints
When trying to do go get github.com/google/fscrypt on macOS, I get the following error:
# github.com/google/fscrypt/metadata
metadata/constants.go:31: undefined: unix.FS_KEY_DESCRIPTOR_SIZE
metadata/constants.go:31: const initializer 2 * unix.FS_KEY_DESCRIPTOR_SIZE is not a constant
metadata/constants.go:39: undefined: unix.FS_MAX_KEY_SIZE
metadata/policy.go:49: undefined: unix.FscryptPolicy
metadata/policy.go:74: undefined: unix.FS_POLICY_FLAGS_PAD_4
metadata/policy.go:74: undefined: unix.FS_POLICY_FLAGS_PAD_8
metadata/policy.go:75: undefined: unix.FS_POLICY_FLAGS_PAD_16
metadata/policy.go:75: undefined: unix.FS_POLICY_FLAGS_PAD_32
metadata/policy.go:88: undefined: unix.FscryptPolicy
metadata/policy.go:89: undefined: unix.FS_IOC_GET_ENCRYPTION_POLICY
metadata/policy.go:89: too many errors
To make it clearer that building will only work on linux, a build constraint should be added the the files.
Move to a pure go implementation of Argon2id
An implementation of Argon2id has made it into x/crypto!!!
We should switch over to this as it would get rid of any dependency on libargon2 and potentially increase performance. I'll post more perf info when I have a chance to prototype.
Build failure on 32 bit architectures
The PointerSlice() function, added by 0b643ea, is causing build failures on 32 bit architectures (verified on armhf and i386 in Ubuntu Artful). Here's the relevant snippet from the build log:
src/github.com/google/fscrypt/util/util.go:49: type [1073741824]unsafe.Pointer larger than address space
src/github.com/google/fscrypt/util/util.go:49: type [1073741824]unsafe.Pointer too large
Here's the code around line 49:
46 // PointerSlice takes a pointer to an array of pointers and views it as a slice
47 // of pointers. Note, indexing into this slice is unsafe.
48 func PointerSlice(ptr unsafe.Pointer) []unsafe.Pointer {
49 return (*[1 << 30]unsafe.Pointer)(ptr)[:]
50 }I'm not sure how stable these links will be longterm but here are links to the full build logs:
Error when unlocking filesystem.
Reported here, reproduced below:
I tested fscrypt with ext4, but I got this error:
root@pc1:/home/hamiltonp/Temp# fscrypt unlock mount/blah/
Enter custom passphrase for protector "test":
fscrypt unlock: permission denied: system error: could not insert key into the keyring
It persisted with password and keyfile method.
File names available in plaintext after logout using SDDM
When using SDDM display manager, filenames are still available in plaintext after user logs out. It's weird as file contents remain encrypted. It doesn't happen if user logs in from console. It also happened before #57 was fixed and I executed fscrypt purge command on exit from script.
fscrypt --version
Version:
0.2.1-9-gd6efd2a
Encrypted directory status before login:
# fscrypt status /home/user1/
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
Encrypted directory view before login:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 21:55 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 4KuOWyB8JVvtSjQ5wWBs+3UWsPIAtebNN03,X6EhRRD
-rw------- 1 user1 user1 51 Oct 1 21:55 7Gkj14k6MhIjhqp,YpbkzY0ZmW5CZ8NWfjtIUvuXVYN
drwxr-xr-x 4 user1 user1 4096 Oct 1 21:56 cYjQyFUTZ0aueNUy49A2gC6rqu+hr9YqG+J0YxZuogN
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 dUJK0ZvNyVKTTyY2aT4uwV70oxGuP4UpaaNTHH6f,PI
-rw------- 1 user1 user1 16 Oct 1 21:55 gaVOjkDXQ,epFAzE0U9oaiJ1RZegg,E46fybSNZxyZJ
drwxr-xr-x 12 user1 user1 4096 Oct 1 21:56 GhiHtwJJ6Udq2iruRTdskoM3gOuZO0qwD8Y7db9ViYK
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 mA2atU6muhkdiJ8+x11CDrSijNnTx6GymhU5fZQSIRM
drwx------ 2 user1 user1 4096 Oct 1 21:55 t3rX5lOToba9YDfnn,05o5AOxqs,8C+lilp7ayKpy5M
drwx------ 2 user1 user1 4096 Oct 1 21:55 xavy48JtAUzUGMEFTKfrwd,ckOdtF0I09FkVArPrg1N
user1 logs in:
# journalctl -f |grep fscrypt
pam_fscrypt[1162]: Authenticate()
pam_fscrypt[1162]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1162]: keyringID(_uid.1001) = 848488077, <nil>
pam_fscrypt[1162]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1162]: KeyctlLink(848488077, -2) = <nil>
pam_fscrypt[1162]: Setreuid(0, 0) = <nil>
pam_fscrypt[1162]: keyringID(_uid.0) = 698375302, <nil>
pam_fscrypt[1162]: KeyctlLink(698375302, -2) = <nil>
pam_fscrypt[1162]: KeyctlLink(848488077, 698375302) = <nil>
pam_fscrypt[1162]: Setting privileges to "user1"
pam_fscrypt[1162]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1162]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1162]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1162]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1162]: creating context for "user1"
pam_fscrypt[1162]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1162]: copying AUTHTOK for use in the session open
pam_fscrypt[1162]: Setting privileges to "root"
pam_fscrypt[1162]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1162]: Setregid(-1, 0) = <nil>
pam_fscrypt[1162]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1162]: pam func succeeded
pam_fscrypt[1162]: OpenSession()
pam_fscrypt[1162]: Session count for UID=1001 updated to 1
pam_fscrypt[1162]: KeyctlLink(848488077, 698375302) = <nil>
pam_fscrypt[1162]: Setting privileges to "user1"
pam_fscrypt[1162]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1162]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1162]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1162]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1162]: creating context for "user1"
pam_fscrypt[1162]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1162]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1162]: found 1 descriptor(s)
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1162]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1162]: successfully read metadata from "/.fscrypt/policies/1
Encrypted directory view after user1 login:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 21:59 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 4 user1 user1 4096 Oct 1 21:56 .cache
drwxr-xr-x 12 user1 user1 4096 Oct 1 21:59 .config
drwx------ 2 user1 user1 4096 Oct 1 21:55 Desktop
-rw------- 1 user1 user1 16 Oct 1 21:55 .esd_auth
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 .gtkrc-2.0
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .kde4
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .local
drwx------ 2 user1 user1 4096 Oct 1 21:55 Temp
-rw------- 1 user1 user1 51 Oct 1 21:59 .Xauthority
user1 logout:
# journalctl -f |grep fscrypt
pam_fscrypt[1116]: CloseSession(map[debug:true lock_policies:true drop_caches:true])
pam_fscrypt[1116]: Session count for UID=1001 updated to 0
pam_fscrypt[1116]: locking polices protected with login protector
pam_fscrypt[1116]: KeyctlLink(7728276, 117932856) = <nil>
pam_fscrypt[1116]: Setting privileges to "user1"
pam_fscrypt[1116]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1116]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1116]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1116]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1116]: creating context for "user1"
pam_fscrypt[1116]: found ext4 filesystem "/" (/dev/sda)
pam_fscrypt[1116]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1116]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1116]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1116]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[1116]: found 1 descriptor(s)
pam_fscrypt[1116]: successfully read metadata from "/home/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1116]: got data for 949471831dcf55cf from "/home"
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1116]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1116]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
Encrypted directory status after user1 logout:
# fscrypt status /home/user1/
"/home/user1" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
Encrypted directory view after user1 logout:
# ls -al /home/user1
total 44
drwxr-xr-x 8 user1 user1 4096 Oct 1 22:04 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
drwxr-xr-x 5 user1 user1 4096 Oct 1 22:05 .cache
drwxr-xr-x 12 user1 user1 4096 Oct 1 22:05 .config
drwx------ 2 user1 user1 4096 Oct 1 21:55 Desktop
-rw------- 1 user1 user1 16 Oct 1 21:55 .esd_auth
-rw-r--r-- 1 user1 user1 336 Oct 1 21:55 .gtkrc-2.0
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .kde4
drwxr-xr-x 3 user1 user1 4096 Oct 1 21:55 .local
drwx------ 2 user1 user1 4096 Oct 1 21:55 Temp
-rw------- 1 user1 user1 51 Oct 1 22:04 .Xauthority
Suggestion: Add documentation about passphrase hashing hardness
I'm somehow paranoid, but I have a suggestion, include argon2 iterations as an option for encrypt/decrypt folders.
The Argon2 0~20160821-1+b1 (latest) command line shows:
$ argon2
Usage: argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r]
Password is read from stdin
Parameters:
salt The salt to use, at least 8 characters
-i Use Argon2i (this is the default)
-d Use Argon2d instead of Argon2i
-id Use Argon2id instead of Argon2i
-t N Sets the number of iterations to N (default = 3)
-m N Sets the memory usage of 2^N KiB (default 12)
-p N Sets parallelism to N threads (default 1)
-l N Sets hash output length to N bytes (default 32)
-e Output only encoded hash
-r Output only the raw bytes of the hash
-h Print argon2 usage
I have been using KeePass 2.36 for storing/backuping my passwords and keyfiles (I don't like it but I use for the argon2), it includes Argon2 algorithm but I can't extract anything of keyring files on the command line due to be a GUI only app (there is kpcli but is incompatible with its keyring files); it's simple to compute an approximate time by multiplying X iterations by a number to get a desired time to open such file using X threads.
I think this feature in the fscrypt could be very useful, even more with an interactive CPU time test option.
[question] user keyring still linked to root keyring after fscrypt purge command
I noticed that fscrypt purge correctly clear user keyring but it keeps it linked to root keyring
Before user unlocks encrypted directory:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
After user unlocks encrypted directory:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
462364131 --alsw-v 1001 1001 \_ logon: ext4:949471831dcf55cf
After fscrypt purge / --force --user=user1
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
Is it correct behavior? I think it should be back to clean state which means unlinking user keyring from root keyring.
Move to a better memory locking library
Fscrypt uses the Key struct to keep sensitive cryptographic data locked in memory and zeroed after use. However, this would be better spun out into a separate library (as it doesn't really deal much with fscrypt).
Luckily, @awnumar has written memguard a library for handling secrets in go. It does everything we want and more, but at the cost of requiring some changes to fscrypt (memguard.CatchInterrupt and memguard.SafeExit).
I'll need to do a more through read though of the code, but it looks good so far. In fact, the development of memguard incorporated things we learned with fscrypt. It really looks like this would be a strict improvement.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.