> Betreff: Re: Separating different ecryptfs mounts > > My apologies for the long delay. > > On 2014-09-25 10:48:23, Christian Stüble wrote: > > Hello, > > > > I had an error in my configuration, see below: > > > > Am Donnerstag, 25. September 2014, 10:10:58 schrieb Christian Stüble: > > > Hi Tyler, > > > hi List > > > > > > we did some more tests to find out whether there are other > > > alternatives than adding another option and we found some > > > interesting behavior I do not > > > understand: > > > > > > When mounting the example scenario given below: > > > > > > plain1 -> raw1 > > > plain2 -> raw2 > > > > > > as normal Linux user using sudo and passphrase-based encryption I > > > get the result as required: > > > > > > 1) The user can write/read files to/from plain1 > > > 2) The user can write/read files to/from plain2 > > > 3) Files exchanged between raw1 and raw2 cannot be read. > > > 4) The root, however, can read files exchanged between raw1 and > > > raw2 > > > > > > It this an intended behavior? It seems that ecryptfs only uses the > > > keys directly assigned to the mount for decryption for normal > > > users, but all keys for the root user. > > This behavior is still unclear to me. > > I can't reproduce this behavior. I can move the files between the > lower mount points and read the files out of each upper mount point. > > As I mentioned before, directly modifying the lower mount point while > eCryptfs is mounted is not supported and may result in data loss. You > should unmount the eCryptfs layer before modifying the lower mount point. > > One thing to check is that you have both mount keys in each session: > > $ keyctl show > Session Keyring > 965589071 --alswrv 1000 1000 keyring: _ses > 155596823 --alswrv 1000 65534 \_ keyring: _uid.1000 > 589053956 --alswrv 1000 1000 \_ user: 253ca7e88811d184 > 760940678 --alswrv 1000 1000 \_ user: 72c0078c0eaa7eec > > Different distributions use the kernel keyring and the pam_keyinit PAM > module differently. eCryptfs searches the user session keyring. You'll > only be able to read files created under mounts whose key(s) are in > the current user session keyring. Doing things like opening a new SSH > session may result in a new user session keyring, depending on how your system is configured. Hi Tyler, I have a question related to the use case Chris is describing. I have seen that at kernel-level, there is an additional mount option "ecryptfs_mount_auth_tok_only" which forces ecryptfs to only use the keys specified by 'ecryptfs_sig' and 'ecryptfs_fnek_sig' for *decryption* of files (as I understand it is by default only used for encryption of newly created files under the given mount point). Can you clarify the (implementation) state of that option? I thought that is a potential way to restrict what keys are used for individual mount points? Thanks for your help, Anna -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
