I took another shot at installing the 2.6.24.x series for sake of testing the
ecryptfs procfs patch and new utils. I've noted a few points below as I went
through a short test of the new system.
The source for this was pulled from GIT last night, 4/6/08. The April 6th
announcement points to:
git://git.kernel.org/pub/scm/linux/kernel/git/mhalcrow/ecryptfs-utils.git
config says
[remote "origin"]
url =
git://git.kernel.org/pub/scm/linux/kernel/git/mhalcrow/ecryptfs-utils.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
Kernel 2.6.24.4 patched with the patch from the ecryptfs-users mailing list.
# mkdir ecryptfs
# mkdir ecryptfs/crypt
# mkdir ecryptfs/clear
# modprobe ecryptfs
# mount -t ecryptfs /mnt/ecryptfs/crypt /mnt/ecryptfs/clear
Select key type to use for newly created files:
1) openssl
2) passphrase
Selection: 1
PEM key file [/root/.ecryptfs/pki/openssl/key.pem]:
^^^^^^^^^^^^^^
(Cannot enter key here, or rather chars are not echoed back to the tty.
Very hard to tell what one is entering, unless you copy/paste it. )
Method of providing the passphrase:
1) passwd: Enter on Console
2) passwd_file: File Containing Passphrase
3) passwd_fd: File Descriptor for File Containing Passphrase
Selection [passwd]: 1
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n): n
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=f4e702c4ad0755da
Mounted eCryptfs
I didn't see that ecryptfs.ko now has a parm for communication and my first
few tests ended in kernel bugs/hung system:
BUG: unable to handle kernel NULL pointer dereference at virtual address
00000008
printing eip: e3a9154b *pde = 00000000
Oops: 0000 [#1]
Modules linked in: ecb nf_conntrack_netlink nf_nat nf_conntrack nfnetlink_queue
nfnetlink_log ecryptfs aes_i586 twofish_i586 twofish_common msr cpuid microcode
firmware_class blowfish cast6 cbc md5 sha512 blkcipher cryptd ablkcipher
serpent i915 lp iTCO_wdt iTCO_vendor_support hangcheck_timer cn i2c_i801
i2c_dev pcspkr eepro100 parport_pc parport rtc_cmos ehci_hcd uhci_hcd configfs
tcp_highspeed llc2 llc nfnetlink snd_pcm_oss snd_mixer_oss snd_seq_dummy
snd_seq_oss snd_seq_midi snd_rtctimer snd_virmidi snd_seq_virmidi snd_rawmidi
snd_seq_midi_event snd_seq snd_seq_device snd_intel8x0 snd_ac97_codec snd_pcm
snd_timer snd snd_page_alloc ac97_bus soundcore
Pid: 1586, comm: ecryptfsd Not tainted (2.6.24.4 #1)
EIP: 0060:[<e3a9154b>] EFLAGS: 00010282 CPU: 0
EIP is at ecryptfs_process_helo+0x2e/0x170 [ecryptfs]
EAX: 00000000 EBX: de5c2e00 ECX: 0000001e EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: 00000632 ESP: de61fd30
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process ecryptfsd (pid: 1586, ti=de61e000 task=de544000 task.ti=de61e000)
Stack: c0143d1b 00000001 c010c8fb ffffffff 000000d0 dec24018 00000000 c033df00
de5c2e00 de50b900 de50b900 de61fd90 e3a91bb6 c033df6c de5c2e00 c02559e7
de5c4400 00000010 de50b900 c0255341 c01a858b de61ff68 00000000 de5c4c00
Call Trace:
[<c0143d1b>] __slab_alloc+0x5c/0x384
[<c010c8fb>] __wake_up_common+0x31/0x56
[<e3a91bb6>] ecryptfs_receive_nl_message+0xc0/0x13d [ecryptfs]
[<c02559e7>] netlink_sendmsg+0x15f/0x259
[<c0255341>] netlink_unicast+0x177/0x1cd
[<c01a858b>] copy_from_user+0x23/0x4f
[<c0255ad5>] netlink_sendmsg+0x24d/0x259
[<c023a46b>] sock_sendmsg+0xbb/0xd3
[<c011dff6>] autoremove_wake_function+0x0/0x33
[<c011391c>] current_fs_time+0x13/0x15
[<c01576a8>] mntput_no_expire+0x13/0x57
[<c028e7a2>] unix_find_other+0xb5/0x128
[<c012d429>] find_lock_page+0x15/0x60
[<c01a858b>] copy_from_user+0x23/0x4f
[<c023a792>] sys_sendto+0x118/0x138
[<c0136b6e>] __do_fault+0x27c/0x2b6
[<c0137d8e>] handle_mm_fault+0x223/0x47a
[<c023b4d3>] sys_socketcall+0x15e/0x242
[<c01023de>] sysenter_past_esp+0x5f/0x85
[<c0290000>] unix_shutdown+0xdb/0xdf
=======================
Code: 57 89 d7 56 89 c6 53 b8 d4 ee a9 e3 83 ec 20 e8 fa 6f 80 dc 89 fa 8d 44
24 18 e8 51 f9 ff ff 85 c0 0f 84 ff 00 00 00 8b 44 24 18 <8b> 40 08 89 6c 24 08
89 7c 24 04 c7 04 24 cf 77 a9 e3 89 44 24
EIP: [<e3a9154b>] ecryptfs_process_helo+0x2e/0x170 [ecryptfs] SS:ESP
0068:de61fd30
---[ end trace 23f13772ffd66f93 ]---
Make sure to set ecryptfs-transport!
filename: /lib/modules/2.6.24.4/kernel/fs/ecryptfs/ecryptfs.ko.gz
license: GPL
description: eCryptfs
author: Michael A. Halcrow <[EMAIL PROTECTED]>
depends:
vermagic: 2.6.24.4 mod_unload PENTIUM4
parm: ecryptfs_verbosity:Initial verbosity level (0 or 1; defaults to
0, which is Quiet) (int)
parm: ecryptfs_message_buf_len:Number of message buffer elements
(uint)
parm: ecryptfs_message_wait_timeout:Maximum number of seconds that an
operation will sleep while waiting for a message response from userspace (long)
parm: ecryptfs_number_of_users:An estimate of the number of
concurrent users of eCryptfs (uint)
parm: ecryptfs_transport:Transport mechanism for communicating with
userspace daemons; 0 = netlink, 1 = connector, 2 = relayfs, 3 = procfs (uint)
As a side question, does #1, connector, work?
Using key /home/jayjwa/crypto/rsa-testing-key.pem
# mount -t ecryptfs /mnt/ecryptfs/crypt /mnt/ecryptfs/clear
Select key type to use for newly created files:
1) openssl
2) passphrase
Selection: 1
PEM key file [/root/.ecryptfs/pki/openssl/key.pem]:
Method of providing the passphrase:
1) passwd: Enter on Console
2) passwd_file: File Containing Passphrase
3) passwd_fd: File Descriptor for File Containing Passphrase
Selection [passwd]: 1
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n): n
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=f4e702c4ad0755da
Mounted eCryptfs
# ecryptfsd --help
04/08/08- 1:23AM
Usage: ecryptfsd [options]
-p, --pidfile <pidfile> Set pid file name
-f, --foreground Don't fork into background
-C, --chroot <chroot> Chroot to directory
-R, --prompt-prog <prompt-prog> Program to execute for user prompt
-V, --version Show version information
-d, --channel <channel> Communications channel (netlink or procfs)
-h, --help Show usage information
# ecryptfsd --channel procfs
# pgrep -l ecryptfsd
1784 ecryptfsd
# cat /tmp/mysql-5.0.51a.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBHlIpHjHGNO1By4fURAtgrAJ4n5jPumLbuATcuWdg/5rtTPghveQCgn/hF
0Y8j7jhF/Tt2tcdi8r5kuhM=
=3kuk
-----END PGP SIGNATURE-----
# mv /tmp/mysql-5.0.51a.tar.gz.asc /mnt/ecryptfs/clear
`/tmp/mysql-5.0.51a.tar.gz.asc' ->
`/mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc'
removed `/tmp/mysql-5.0.51a.tar.gz.asc'
# cp /tmp/SDL-1.2.13.tar.gz /mnt/ecryptfs/clear
`/tmp/SDL-1.2.13.tar.gz' -> `/mnt/ecryptfs/clear/SDL-1.2.13.tar.gz'
# keyctl show
Session Keyring
-3 --alswrv 0 0 keyring: _uid_ses.0
2 --alswrv 0 0 \_ keyring: _uid.0
779209263 --alswrv 0 0 \_ user: f4e702c4ad0755da
# file /mnt/ecryptfs/clear/*
/mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc: PGP armored data
/mnt/ecryptfs/clear/SDL-1.2.13.tar.gz: gzip compressed data, from Unix,
last modified: Mon Dec 31 01:17:06 2007, max compression
# mount
04/08/08- 1:31AM
/dev/hda1 on / type ext2 (rw)
proc on /proc type proc (rw)
configfs on /config type configfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
shm on /dev/shm type tmpfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
sysfs on /sys type sysfs (rw)
securityfs on /sys/kernel/security type securityfs (rw)
/mnt/ecryptfs/crypt on /mnt/ecryptfs/clear type ecryptfs
(rw,ecryptfs_sig=f4e702c4ad0755da,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,)
# umount /mnt/ecryptfs/crypt
04/08/08- 1:31AM
# keyctl clear @u
04/08/08- 1:31AM
# ls /mnt/ecryptfs/clear
04/08/08- 1:31AM
# ls /mnt/ecryptfs/crypt
04/08/08- 1:32AM
mysql-5.0.51a.tar.gz.asc SDL-1.2.13.tar.gz
# file /mnt/ecryptfs/crypt/*
04/08/08- 1:32AM
/mnt/ecryptfs/crypt/mysql-5.0.51a.tar.gz.asc: data
/mnt/ecryptfs/crypt/SDL-1.2.13.tar.gz: data
Using key /home/jayjwa/crypto/rsa-testing-key.pem
# mount -t ecryptfs /mnt/ecryptfs/crypt /mnt/ecryptfs/clear
04/08/08- 1:33AM
Select key type to use for newly created files:
1) openssl
2) passphrase
Selection: 1
PEM key file [/root/.ecryptfs/pki/openssl/key.pem]:
Method of providing the passphrase:
1) passwd: Enter on Console
2) passwd_file: File Containing Passphrase
3) passwd_fd: File Descriptor for File Containing Passphrase
Selection [passwd]: 1
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n): n
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=f4e702c4ad0755da
Mounted eCryptfs
# pgrep -l ecryptfsd
04/08/08- 1:34AM
1784 ecryptfsd
# file /mnt/ecryptfs/clear/*
04/08/08- 1:34AM
/mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc: PGP armored data
/mnt/ecryptfs/clear/SDL-1.2.13.tar.gz: gzip compressed data, from Unix,
last modified: Mon Dec 31 01:17:06 2007, max compression
# cat /mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc
04/08/08- 1:34AM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBHlIpHjHGNO1By4fURAtgrAJ4n5jPumLbuATcuWdg/5rtTPghveQCgn/hF
0Y8j7jhF/Tt2tcdi8r5kuhM=
=3kuk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------------
With a user reading files using a root-run daemon:
Using key /home/jayjwa/crypto/rsa-testing-key.pem
ecryptfs-manager
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Make selection: 2
Select key type to use for newly created files:
1) openssl
2) passphrase
Selection: 1
PEM key file [/home/jayjwa/.ecryptfs/pki/openssl/key.pem]:
Method of providing the passphrase:
1) passwd: Enter on Console
2) passwd_file: File Containing Passphrase
3) passwd_fd: File Descriptor for File Containing Passphrase
Selection [passwd]: 1
Passphrase:
Returning to main menu
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Make selection: 4
keyctl show
Session Keyring
-3 --alswrv 100 -1 keyring: _uid_ses.100
344166184 --alswrv 100 -1 \_ keyring: _uid.100
36687031 --alswrv 100 100 \_ user: f4e702c4ad0755da
cat /mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBHlIpHjHGNO1By4fURAtgrAJ4n5jPumLbuATcuWdg/5rtTPghveQCgn/hF
0Y8j7jhF/Tt2tcdi8r5kuhM=
=3kuk
-----END PGP SIGNATURE-----
file /mnt/ecryptfs/clear/*
/mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc: PGP armored data
/mnt/ecryptfs/clear/SDL-1.2.13.tar.gz: gzip compressed data, from Unix,
last modified: Mon Dec 31 01:17:06 2007, max compression
keyctl clear @u
keyctl show
Session Keyring
-3 --alswrv 100 -1 keyring: _uid_ses.100
344166184 --alswrv 100 -1 \_ keyring: _uid.100
cat /mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBHlIpHjHGNO1By4fURAtgrAJ4n5jPumLbuATcuWdg/5rtTPghveQCgn/hF
0Y8j7jhF/Tt2tcdi8r5kuhM=
=3kuk
-----END PGP SIGNATURE-----
Thoughts, Issues:
1) When entering the public key, typing doesn't echo the characters.
Telling if you typed correctly is differicult.
2) A user can read ecryptfs files even if he has no/wrong key, as long
as ecryptfs has been mounted successfully. Shouldn't only users with
a proper key be able to read the files?
3) What's in modprobe.conf always overrules what you enter on the command
line, even if the parm. doesn't exist in modprobe.conf (but only on the
command line). In this case, you'll likely get a crash/hang.
# modprobe ecryptfs ecryptfs_verbosity=1 ecryptfs_number_of_users=2
ecryptfs_transport=3
modprobe.conf:
...
ecryptfs_verbosity=0
ecryptfs_number_of_users=2
...
Apr 7 23:40:20 vdrl ecryptfsd: Starting eCryptfs userspace netlink daemon
[1563]
Apr 7 23:40:20 vdrl ecryptfsd: Failed to send eCryptfs netlink message:
Connection refused
Apr 7 23:40:20 vdrl ecryptfsd: Failed to register netlink daemon with the
eCryptfs kernel module
Apr 7 23:40:20 vdrl ecryptfsd: Failed to send eCryptfs netlink message:
Connection refused
Apr 7 23:40:20 vdrl ecryptfsd: ecryptfsd_exit: Failed to unregister netlink
daemon with the eCryptfs kernel module
Apr 7 23:40:20 vdrl ecryptfsd: ecryptfsd_exit: Closing eCryptfs userspace
netlink daemon [1563]
# mv /tmp/mysql-5.0.51a.tar.gz.asc /mnt/ecryptfs/clear
`/tmp/mysql-5.0.51a.tar.gz.asc' ->
`/mnt/ecryptfs/clear/mysql-5.0.51a.tar.gz.asc'
(Hang & hangs the terminal)
4) There were a few error messages in syslog:
mount.ecryptfs: Error initializing key module
[/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
ecryptfsd: Error initializing key module
[/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
kernel: Error attempting to read the [user.ecryptfs] xattr from the lower
file; return value = [4294967201]
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
eCryptfs-users mailing list
eCryptfs-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
