2 files changed, 101 insertions, 19 deletions
diff --git a/Documentation/security/keys-ecryptfs.txt b/Documentation/security/keys-ecryptfs.txt
new file mode 100644
index 00000000000..c3bbeba6356
--- /dev/null
+++ b/Documentation/security/keys-ecryptfs.txt
@@ -0,0 +1,68 @@
+                Encrypted keys for the eCryptfs filesystem
+ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
+file using a randomly generated File Encryption Key (FEK).
+Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK)
+either in kernel space or in user space with a daemon called 'ecryptfsd'.  In
+the former case the operation is performed directly by the kernel CryptoAPI
+using a key, the FEFEK, derived from a user prompted passphrase;  in the latter
+the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
+to support other mechanisms like public key cryptography, PKCS#11 and TPM based
+operations.
+The data structure defined by eCryptfs to contain information required for the
+FEK decryption is called authentication token and, currently, can be stored in a
+kernel key of the 'user' type, inserted in the user's session specific keyring
+by the userspace utility 'mount.ecryptfs' shipped with the package
+'ecryptfs-utils'.
+The 'encrypted' key type has been extended with the introduction of the new
+format 'ecryptfs' in order to be used in conjunction with the eCryptfs
+filesystem.  Encrypted keys of the newly introduced format store an
+authentication token in its payload with a FEFEK randomly generated by the
+kernel and protected by the parent master key.
+In order to avoid known-plaintext attacks, the datablob obtained through
+commands 'keyctl print' or 'keyctl pipe' does not contain the overall
+authentication token, which content is well known, but only the FEFEK in
+encrypted form.
+The eCryptfs filesystem may really benefit from using encrypted keys in that the
+required key can be securely generated by an Administrator and provided at boot
+time after the unsealing of a 'trusted' key in order to perform the mount in a
+controlled environment.  Another advantage is that the key is not exposed to
+threats of malicious software, because it is available in clear form only at
+kernel level.
+Usage:
+   keyctl add encrypted name "new ecryptfs key-type:master-key-name keylen" ring
+   keyctl add encrypted name "load hex_blob" ring
+   keyctl update keyid "update key-type:master-key-name"
+name:= '<16 hexadecimal characters>'
+key-type:= 'trusted' | 'user'
+keylen:= 64
+Example of encrypted key usage with the eCryptfs filesystem:
+Create an encrypted key "1000100010001000" of length 64 bytes with format
+'ecryptfs' and save it using a previously loaded user key "test":
+    $ keyctl add encrypted 1000100010001000 "new ecryptfs user:test 64" @u
+    19184530
+    $ keyctl print 19184530
+    ecryptfs user:test 64 490045d4bfe48c99f0d465fbbbb79e7500da954178e2de0697
+    dd85091f5450a0511219e9f7cd70dcd498038181466f78ac8d4c19504fcc72402bfc41c2
+    f253a41b7507ccaa4b2b03fff19a69d1cc0b16e71746473f023a95488b6edfd86f7fdd40
+    9d292e4bacded1258880122dd553a661
+    $ keyctl pipe 19184530 > ecryptfs.blob
+Mount an eCryptfs filesystem using the created encrypted key "1000100010001000"
+into the '/secret' directory:
+    $ mount -i -t ecryptfs -oecryptfs_sig=1000100010001000,\
+      ecryptfs_cipher=aes,ecryptfs_key_bytes=32 /secret /secret
diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index 8fb79bc1ac4..5f50ccabfc8 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -53,12 +53,19 @@ they are only as secure as the user key encrypting them.  The master user key
 should therefore be loaded in as secure a way as possible, preferably early in
 boot.
+The decrypted portion of encrypted keys can contain either a simple symmetric
+key or a more complex structure. The format of the more complex structure is
+application specific, which is identified by 'format'.
 Usage:
-  keyctl add encrypted name "new key-type:master-key-name keylen" ring
+    keyctl add encrypted name "new [format] key-type:master-key-name keylen"
-  keyctl add encrypted name "load hex_blob" ring
+        ring
-  keyctl update keyid "update key-type:master-key-name"
+    keyctl add encrypted name "load hex_blob" ring
+    keyctl update keyid "update key-type:master-key-name"
+format:= 'default | ecryptfs'
+key-type:= 'trusted' | 'user'
-where 'key-type' is either 'trusted' or 'user'.
 Examples of trusted and encrypted key usage:
@@ -114,15 +121,25 @@ Reseal a trusted key under new pcr values:
    7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef
    df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8
-Create and save an encrypted key "evm" using the above trusted key "kmk":
+The initial consumer of trusted keys is EVM, which at boot time needs a high
+quality symmetric key for HMAC protection of file metadata.  The use of a
+trusted key provides strong guarantees that the EVM key has not been
+compromised by a user level problem, and when sealed to specific boot PCR
+values, protects against boot and offline attacks.  Create and save an
+encrypted key "evm" using the above trusted key "kmk":
+option 1: omitting 'format'
    $ keyctl add encrypted evm "new trusted:kmk 32" @u
    159771175
+option 2: explicitly defining 'format' as 'default'
+    $ keyctl add encrypted evm "new default trusted:kmk 32" @u
+    159771175
    $ keyctl print 159771175
-    trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55
+    default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
-    be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64
+    82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
-    5972dcb82ab2dde83376d82b2e3c09ffc
+    24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
    $ keyctl pipe 159771175 > evm.blob
@@ -132,14 +149,11 @@ Load an encrypted key "evm" from saved blob:
    831684262
    $ keyctl print 831684262
-    trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55
+    default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
-    be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64
+    82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
-    5972dcb82ab2dde83376d82b2e3c09ffc
+    24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
+Other uses for trusted and encrypted keys, such as for disk and file encryption
-The initial consumer of trusted keys is EVM, which at boot time needs a high
+are anticipated.  In particular the new format 'ecryptfs' has been defined in
-quality symmetric key for HMAC protection of file metadata.  The use of a
+in order to use encrypted keys to mount an eCryptfs filesystem.  More details
-trusted key provides strong guarantees that the EVM key has not been
+about the usage can be found in the file 'Documentation/keys-ecryptfs.txt'.
-compromised by a user level problem, and when sealed to specific boot PCR
-values, protects against boot and offline attacks.  Other uses for trusted and
-encrypted keys, such as for disk and file encryption are anticipated.

diff --git a/Documentation/security/keys-ecryptfs.txt b/Documentation/security/keys-ecryptfs.txt new file mode 100644 index 00000000000..c3bbeba6356 --- /dev/null +++ b/Documentation/security/keys-ecryptfs.txt
@@ -0,0 +1,68 @@
		1	Encrypted keys for the eCryptfs filesystem
		2
		3	ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
		4	file using a randomly generated File Encryption Key (FEK).
		5
		6	Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK)
		7	either in kernel space or in user space with a daemon called 'ecryptfsd'. In
		8	the former case the operation is performed directly by the kernel CryptoAPI
		9	using a key, the FEFEK, derived from a user prompted passphrase; in the latter
		10	the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
		11	to support other mechanisms like public key cryptography, PKCS#11 and TPM based
		12	operations.
		13
		14	The data structure defined by eCryptfs to contain information required for the
		15	FEK decryption is called authentication token and, currently, can be stored in a
		16	kernel key of the 'user' type, inserted in the user's session specific keyring
		17	by the userspace utility 'mount.ecryptfs' shipped with the package
		18	'ecryptfs-utils'.
		19
		20	The 'encrypted' key type has been extended with the introduction of the new
		21	format 'ecryptfs' in order to be used in conjunction with the eCryptfs
		22	filesystem. Encrypted keys of the newly introduced format store an
		23	authentication token in its payload with a FEFEK randomly generated by the
		24	kernel and protected by the parent master key.
		25
		26	In order to avoid known-plaintext attacks, the datablob obtained through
		27	commands 'keyctl print' or 'keyctl pipe' does not contain the overall
		28	authentication token, which content is well known, but only the FEFEK in
		29	encrypted form.
		30
		31	The eCryptfs filesystem may really benefit from using encrypted keys in that the
		32	required key can be securely generated by an Administrator and provided at boot
		33	time after the unsealing of a 'trusted' key in order to perform the mount in a
		34	controlled environment. Another advantage is that the key is not exposed to
		35	threats of malicious software, because it is available in clear form only at
		36	kernel level.
		37
		38	Usage:
		39	keyctl add encrypted name "new ecryptfs key-type:master-key-name keylen" ring
		40	keyctl add encrypted name "load hex_blob" ring
		41	keyctl update keyid "update key-type:master-key-name"
		42
		43	name:= '<16 hexadecimal characters>'
		44	key-type:= 'trusted' \| 'user'
		45	keylen:= 64
		46
		47
		48	Example of encrypted key usage with the eCryptfs filesystem:
		49
		50	Create an encrypted key "1000100010001000" of length 64 bytes with format
		51	'ecryptfs' and save it using a previously loaded user key "test":
		52
		53	$ keyctl add encrypted 1000100010001000 "new ecryptfs user:test 64" @u
		54	19184530
		55
		56	$ keyctl print 19184530
		57	ecryptfs user:test 64 490045d4bfe48c99f0d465fbbbb79e7500da954178e2de0697
		58	dd85091f5450a0511219e9f7cd70dcd498038181466f78ac8d4c19504fcc72402bfc41c2
		59	f253a41b7507ccaa4b2b03fff19a69d1cc0b16e71746473f023a95488b6edfd86f7fdd40
		60	9d292e4bacded1258880122dd553a661
		61
		62	$ keyctl pipe 19184530 > ecryptfs.blob
		63
		64	Mount an eCryptfs filesystem using the created encrypted key "1000100010001000"
		65	into the '/secret' directory:
		66
		67	$ mount -i -t ecryptfs -oecryptfs_sig=1000100010001000,\
		68	ecryptfs_cipher=aes,ecryptfs_key_bytes=32 /secret /secret


diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt index 8fb79bc1ac4..5f50ccabfc8 100644 --- a/Documentation/security/keys-trusted-encrypted.txt +++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -53,12 +53,19 @@ they are only as secure as the user key encrypting them. The master user key
53	should therefore be loaded in as secure a way as possible, preferably early in	53	should therefore be loaded in as secure a way as possible, preferably early in
54	boot.	54	boot.
55		55
		56	The decrypted portion of encrypted keys can contain either a simple symmetric
		57	key or a more complex structure. The format of the more complex structure is
		58	application specific, which is identified by 'format'.
		59
56	Usage:	60	Usage:
57	keyctl add encrypted name "new key-type:master-key-name keylen" ring	61	keyctl add encrypted name "new [format] key-type:master-key-name keylen"
58	keyctl add encrypted name "load hex_blob" ring	62	ring
59	keyctl update keyid "update key-type:master-key-name"	63	keyctl add encrypted name "load hex_blob" ring
		64	keyctl update keyid "update key-type:master-key-name"
		65
		66	format:= 'default \| ecryptfs'
		67	key-type:= 'trusted' \| 'user'
60		68
61	where 'key-type' is either 'trusted' or 'user'.
62		69
63	Examples of trusted and encrypted key usage:	70	Examples of trusted and encrypted key usage:
64		71
@@ -114,15 +121,25 @@ Reseal a trusted key under new pcr values:
114	7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef	121	7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef
115	df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8	122	df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8
116		123
117	Create and save an encrypted key "evm" using the above trusted key "kmk":	124	The initial consumer of trusted keys is EVM, which at boot time needs a high
		125	quality symmetric key for HMAC protection of file metadata. The use of a
		126	trusted key provides strong guarantees that the EVM key has not been
		127	compromised by a user level problem, and when sealed to specific boot PCR
		128	values, protects against boot and offline attacks. Create and save an
		129	encrypted key "evm" using the above trusted key "kmk":
118		130
		131	option 1: omitting 'format'
119	$ keyctl add encrypted evm "new trusted:kmk 32" @u	132	$ keyctl add encrypted evm "new trusted:kmk 32" @u
120	159771175	133	159771175
121		134
		135	option 2: explicitly defining 'format' as 'default'
		136	$ keyctl add encrypted evm "new default trusted:kmk 32" @u
		137	159771175
		138
122	$ keyctl print 159771175	139	$ keyctl print 159771175
123	trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55	140	default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
124	be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64	141	82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
125	5972dcb82ab2dde83376d82b2e3c09ffc	142	24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
126		143
127	$ keyctl pipe 159771175 > evm.blob	144	$ keyctl pipe 159771175 > evm.blob
128		145
@@ -132,14 +149,11 @@ Load an encrypted key "evm" from saved blob:
132	831684262	149	831684262
133		150
134	$ keyctl print 831684262	151	$ keyctl print 831684262
135	trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55	152	default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
136	be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64	153	82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
137	5972dcb82ab2dde83376d82b2e3c09ffc	154	24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
138		155
139		156	Other uses for trusted and encrypted keys, such as for disk and file encryption
140	The initial consumer of trusted keys is EVM, which at boot time needs a high	157	are anticipated. In particular the new format 'ecryptfs' has been defined in
141	quality symmetric key for HMAC protection of file metadata. The use of a	158	in order to use encrypted keys to mount an eCryptfs filesystem. More details
142	trusted key provides strong guarantees that the EVM key has not been	159	about the usage can be found in the file 'Documentation/keys-ecryptfs.txt'.
143	compromised by a user level problem, and when sealed to specific boot PCR
144	values, protects against boot and offline attacks. Other uses for trusted and
145	encrypted keys, such as for disk and file encryption are anticipated.