I am trying to come up with a usable configuration of ecryptfs to
create a secured directory for our product to stash some of its
configuration and data in.  This diretory needs to be keyed to the TPM
in the system in such a fashion that the directory will only be
readable if it is the same system it was originally configured on.
This means keying it to one or more PCR's in the TPM.

I had this working after some floundering earlier on RHEL 5.2 but so
far have been  unable to reproduce it on CentOS 5.2(which should have
been easy).

First, Could anyone please confirm for me if they have a configuration
like this running on CentOS 5.2 and if so, using what versions of
trousers, ecryptfs, and kernel?

Second,  to describe my results.  Using Trousers 1.3.1 as distributed
with Centos 5.2, and ecryptfs-utils 41, (this is the version shipped
with 5.2, however it was necessary to download the sourcecode and
reconfigure with the --with-tspi parameter.  Then the following is
done to prepare to mount the directory.

   modprobe tpm_tis
   modprobe ecryptfs

Then I generate a key using pcr 1 and note the uuid in the output using:
   ecryptfs-generate-tpm-key -p 1

Then I mount a ecryptfs filesystem:
   mount -t ecryptfs /secret /secret
and select option 3. tspi, provide the uuid from above,  and accept
defaults for the rest of the prompts, Here's how that goes

# mount -t ecryptfs /secret /secret
Select key type to use for newly created files:
 1) passphrase
 2) openssl
 3) tspi
Selection: 3
uuid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n): n
Attempting to mount with the following options:
Mounted eCryptfs

This all goes fine.  I then create a test file in the /secret
directory and as expected there is a slight pause, and the file is
created. I can turn around at cat out the test file and it shows the
expected contents.

I then unmount the directory and cat the file again and as expected get gibrish.

I then re-mount the directory, using the same procedure as above but
am unable to decrypt the file.  Upon attempting to cat the file out I

cat: /secret/test: Input/output error

messages following this shows the following.

Jul  1 10:09:42 localhost ecryptfsd: Tspi_Data_Unseal failed: [Bad input size]
Jul  1 10:09:42 localhost ecryptfsd: Failed to get size for decrypted key
Jul  1 10:09:42 localhost ecryptfsd: Failed to decrypt key; rc = [-5]
Jul  1 10:09:42 localhost kernel: Failed to parse tag 65 packet; rc = [-5]
Jul  1 10:09:42 localhost kernel: ecryptfs_parse_packet_set: Error
decrypting the session key for authentication token with sig []; rc =
[-5]. Removing auth tok candidate from the list and searching for the
next match.
Jul  1 10:09:42 localhost kernel: ecryptfs_parse_packet_set: Could not
find a usable authentication token
Jul  1 10:09:42 localhost kernel: Error attempting to read the
[user.ecryptfs] xattr from the lower file; return value = [4294967235]
Jul  1 10:09:42 localhost kernel: Attempt to read file that is not in
a valid eCryptfs format, and plaintext passthrough mode is not
enabled; returning -EIO

Its unclear to me if this is a trousers or an ecryptfs issue.

Thankyou to the developers who were trying to help me in IRC, and I
promise to return later and help with testing the bleeding edge in any
way I can, however I need to get this back to the configuration I had
working a few weeks ago on a pretty much stock Redhat EL system.   Any
input from someone running a similar configuration, or seeing
something in my procedure or results would be greatly appreciated.

Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
eCryptfs-users mailing list

Reply via email to