Found out why it works like this. Kernel keeps those keys in clear text and encrypts FEFEK only when exported to user space. That explain the behavior. Sorry for the extra traffic.. Thanks. /Jarkko On Fri, Nov 9, 2012 at 8:49 AM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxx> wrote: > Hi > > I'm experiencing a bizarre problem with ECryptFS keys. > > Preconditions: > - 3.7-rc4 mainline kernel. > - Minimal RootFS made with BuildRoot, bundled into kernel image > (initramfs). > - Fresh boot. > - 32 MB FAT loopback image mounted on /mnt. > > I execute the following sequence: > > mykeyid=`keyctl add encrypted 1000100010001000 "new ecryptfs > user:device-key 64" @u` > echo $mykeyid > keyctl print $mykeyid > keyctl list @u > mount -t ecryptfs > -oecryptfs_sig=1000100010001000,ecryptfs_fnek_sig=1000100010001000,ecryptfs_cipher=aes,ecryptfs_key_bytes=32 > /mnt /mnt > echo "mount returned $?" > mount|grep ecryptfs > keyctl list @u > > Execution: > > # mykeyid=`keyctl add encrypted 1000100010001000 "new ecryptfs > user:device-key 64" @u` > # echo $mykeyid > 541909842 > # keyctl print $mykeyid > keyctl_read_alloc: Cannot allocate memory > # EXPECTED > # keyctl list @u > 1 key in keyring: > 541909842: --alswrv 0 0 encrypted: 1000100010001000 > # mount -t ecryptfs > -oecryptfs_sig=1000100010001000,ecryptfs_fnek_sig=1000100010001000,ecryptfs_cipher=aes,ecryptfs_key_bytes=32 > /mnt /mnt > # echo "mount returned $?" > mount returned 0 > # mount|grep ecryptfs > /mnt on /mnt type ecryptfs > (rw,relatime,ecryptfs_fnek_sig=1000100010001000,ecryptfs_sig=1000100010001000,ecryptfs_cipher=aes,ecryptfs_key_bytes=32) > # NOT EXPECTED. Shouldn't this fail? > # keyctl list @u > 1 key in keyring: > 541909842: --alswrv 0 0 encrypted: 1000100010001000 > > Why does mount work? Thanks. > > /Jarkko -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html