eCryptfs

(wishlist) support for binary keyfile in mounting ecryptfs

Bug #1036421 reported by c on 2012-08-13

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	eCryptfs	Incomplete	Wishlist	Unassigned

Bug Description

Compare to a passphrase, a binary keyfile generated from urandom is more "random"
Compare to a openssl key, openssl key needs userspace daemon to mount

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-08-13:

#1

How are you performing the eCryptfs mount?

mount.ecryptfs has the passphrase_passwd_file mount option which should meet your needs but I don't think that the more widely used mount.ecryptfs_private helper has anything like this.

Changed in ecryptfs:
status:	New → Incomplete
importance:	Undecided → Wishlist

Revision history for this message

c (lsching17) wrote on 2012-08-13:

#2

let me describe more precisely:

Compare to a passphrase KEY FILE, a binary keyfile generated from urandom is more "random", so more secure
Compare to a openssl key FILE, openssl key needs userspace daemon to mount

Revision history for this message

c (lsching17) wrote on 2012-08-14:

#3

Besides, a binary keyfile can be "shared" by different encryption system, reducing the number of key files kept by user

e.g use the same binary keyfile for encryptfs on a PC, LUKS on a notebook

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-08-14:

#4

That's not the part I needed clarification on. :)

How are you performing the eCryptfs mount? Are you using the "encrypted home" feature, are you using "mount -t ecryptfs dst src", are you mounting some other way?

I need to know which eCryptfs mount utility you'd like to pass a key file to.

Revision history for this message

c (lsching17) wrote on 2012-08-14:

#5

i am using mount -t ecryptfs dst src

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-08-14:

#6

Ok, so does the passphrase_passwd_file=FILE mount option not meet your needs?

Revision history for this message

c (lsching17) wrote on 2012-08-14:

#7

does passphrase_passwd_file=FILE option support binary keyfile?

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-08-14: [Bug 1036421] Re: (wishlist) support for binary keyfile in mounting ecryptfs

#8

On 2012-08-14 11:05:02, c wrote:
> does passphrase_passwd_file=FILE option support binary keyfile?

It should, but it rarely gets used or tested. Please let me know if it
doesn't work.

Revision history for this message

c (lsching17) wrote on 2012-08-17:

#9

i test it at Xubuntu x64 12.04, ecryptfs-utils (96-0ubuntu3), kernel 3.2.0-29

it seems passphrase_passwd_file=FILE option do not support binary keyfile

Test case:

1. create testing directory "/test/test_all"
2. create binary key file

dd if=/dev/urandom of=/test/test.keyfile count=1 bs=32

3. mount the ecrypt folder

sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/test/test.keyfile,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,no_sig_cache,verbosity=0 /test/test_all /test/test_all

Result:

Error attempting to evaluate mount options: [-22] Invalid argument
Check your system logs for details on why this happened.
Try updating your ecryptfs-utils package, and/or
submit a bug report on https://launchpad.net/ecryptfs

Repeat the plan text keyfile "passwd=testing", the directory mount ok

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.