Re: Practical use of ecryptfs, encrypted keys, and TPM: how to convert existing user key to encrypted key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, 2016-03-26 at 20:46 +0000, James Johnston wrote:
> Hi,
> Short version of this question is:  How do I convert a user key on the keyring
> storing ecryptfs authentication token / FEFEK to an encrypted key on keyring?
> (I.e. how to add an encrypted key with user-specified plaintext data, instead
> of a randomly-generated key - such as a pre-existing mounting passphrase for
> an existing ecryptfs file system.)  Read on for why...
> I'm trying to figure out how to practically use ecryptfs with a TPM, and the
> information I'm finding is generally out-of-date/obsolete.  All I've found is
> blog articles or IBM whitepapers from a few years ago that appear to use
> features that don't exist anymore / unmaintained features.  I've gathered that
> the proper way to do this now involves trusted and encrypted kernel keys, as
> per:

Support for using trusted/encrypted ecryptfs keys was added by Roberto
Sassu as soon as trusted/encrypted keys was upstreamed.  The only
documentation are those that you sited below.

>  *
>  *
> The strategy outlined in the above documentation indicates the idea would be to
> make a new trusted key, sealed with the TPM, and then use it to make a new
> encrypted key in the ecryptfs format, specifying the trusted key as the master.
> That's easy enough to follow, and does what I'm looking for, except...
> The problem is if the TPM dies, I need to recover my data (e.g. computer dies,
> and need to restore from encrypted backups).  What I'm wanting to do is use a
> passphrase to decrypt data if the TPM is not available, to be used only in
> special circumstances. 

Encrypted keys can be updated so that they're encrypted with a different
user or trusted key, but the key type (user | trusted) can not be
changed.  Allowing the key type to change would kind of defeat the
purpose of using a trusted key in the first place.

There was some initial discussions about adding support for trusted key
migration, but nothing was ever posted. 


To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Index of Archives]     [Linux Crypto]     [Device Mapper Crypto]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux