Alon Bar-Lev wrote:
> I've just went through some of the eCryptfs code and I've
> noticed they are using the kernel access key retention to
> move keys from user space into kernel. It looks quite clean
> implementation so that it does not require any patch to
> util-linux.
(1) Keyctl userland-to-kernel interface is based on strings, and encrypted
loops want hashed binary data. Not compatible without extra tricks.
(2) Userspace utilities make no attempt to overwrite secret key material
after they are done with it. Serious newbie goofs.
(3) Significant amounts of loop would need to be rewritten because ioctl()
and request_key() interfaces are so different, yet the benefits would be
almost zero.
(4) Mainline linux motto is: "there is no stable API" which usually
translates to "don't bother writing code to this API". I have seen too
may interfaces change/break under my feet that I am reluctant to add
another dependency to another possibly wildly changing API.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
