Hello All, There is a new release of eCryptfs, a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux.
This release (30) supports PKCS#11 based keys. It would be great to receive some feedbacks. The flow is something like: usermode->kernel->ecryptfs->usermode->ecryptfsd->kernel->ecryptfs->fs Each file is encrypted separately on the filesystem, the public/private key operations are done at userspace in the context of the user. Quick start 1. Download latest ecryptfs-utils from: http://ecryptfs.sourceforge.net http://sourceforge.net/project/showfiles.php?group_id=133988&package_id=149785 Gentoo ebuild at: http://bugs.gentoo.org/show_bug.cgi?id=198608 2. Download and install latest pkcs11-helper from: http://www.opensc-project.org 3. Build with --enable-pkcs11-helper 4. Be sure you have a private key that allows decryptions and a certificate that matches this private key (can be self-signed). 5. Create ~/.ecryptfsrc.pkcs11 with: pkcs11-provider,name=p1,library=/usr/lib/pkcs11/<whatever> 6. Compile the kernel with: CONFIG_ECRYPT_FS=m 7. Load ecryptfs module with long timeout: modprobe ecryptfs ecryptfs_message_wait_timeout=10 [[There is a known bug in kernel module that waits for this timeout almost every read...]] 8. Use ecryptfs-manager->2->pkcs11 in order to load your key. Do not type passphrase, this is unsecured. 9. As your regular user, run keyctl show command to see the hash of your key: $ keyctl show Session Keyring -3 --alswrv 1000 -1 keyring: _uid_ses.1000 762178152 --alswrv 1000 -1 \_ keyring: _uid.1000 837059562 --alswrv 1000 449 \_ user: 107b50e092b00995 10. Modify and put the following at /etc/fstab, notice the mount point and key hash. /home/xxx/secret /home/xxx/secret ecryptfs rw,sig=107b50e092b00995,cipher=aes,ecryptfs_key_bytes=16,passthrough=0,users,noauto 0 0 11. Run (as user): ecryptfsd --prompt-prog=<dialog program> The dialog program has the same interface as the OpenSSH dialog program. You can get one at: http://alon.barlev.googlepages.com/openssh-pkcs11 12. Mount the filesystem (as user). 13. Create a file. 14. Unmount the filesystem. 15. Verify that the file is encrypted. 16. Mount the filesystem again. 17. You should be able to access the file after prompted for passphrase. Best Regards, Alon Bar-Lev. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
