On 2013-12-09 18:32:54, cc chen wrote: > Greetings, > > > I am having the error as per subject when I am using the openssl > (passphrase) key type, the thing is I don't get this error when using the > passphrase as key type. The OpenSSL support in eCryptfs has never been very polished. There's not much user demand for it at this time, so the focus has primarily been placed on passphrase support. > > Below is the steps using openssl as key type, appreciate someone can help to > advise what are the mistake: > > (A) Create test.pem public/private cert using using "ecryptfs-manager" > (B) List of commands to mount the disk and result output: > > # mount -t ecryptfs /secure/.s3 /secure/s3 > Select key type to use for newly created files: > 1) openssl > 2) passphrase > 3) tspi > Selection: 1 > PEM key file [/root/.ecryptfs/pki/openssl/key.pem]: test.pem > Method of providing the passphrase: > 1) openssl_passwd: Enter on Console > 2) openssl_passwd_file: File Containing Passphrase > 3) openssl_passwd_fd: File Descriptor for File Containing Passphrase > Selection [openssl_passwd]: 1 > Passphrase: > Select cipher: > 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not > loaded) > 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) > 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) > Selection [aes]: > Select key bytes: > 1) 16 > 2) 32 > 3) 24 > Selection [16]: > Enable plaintext passthrough (y/n) [n]: > Enable filename encryption (y/n) [n]: > Attempting to mount with the following options: > ecryptfs_unlink_sigs > ecryptfs_key_bytes=16 > ecryptfs_cipher=aes > ecryptfs_sig=74c90d4c6548e015 > WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], > it looks like you have never mounted with this key > before. This could mean that you have typed your > passphrase wrong. > > Would you like to proceed with the mount (yes/no)? : yes > Would you like to append sig [74c90d4c6548e015] to > [/root/.ecryptfs/sig-cache.txt] > in order to avoid this warning in the future (yes/no)? : no > Not adding sig to user sig cache file; continuing with mount. > Mounted eCryptfs > > # cd s3 > # touch test1 > touch: cannot touch `test1': Input/output error You need to have an ecryptfsd process running for each user that will be accessing the mount point. The kernel asks ecryptfsd to wrap/unwrap the file encryption key using the public/private key that you generated with OpenSSL. Performance is bad and I wouldn't expect as stable of an experience as with passphrase based mounts. It would be great if someone was interested in fostering the OpenSSL feature to make bring it up to the same level of maturity as passphrase. Tyler
Attachment:
signature.asc
Description: Digital signature
