On Mon, Jul 13, 2020 at 12:09 AM Iuliana Prodan <iuliana.prodan@xxxxxxx> wrote: > > Tagged keys are keys that contain metadata indicating what > they are and how to handle them using tag_object API. > > Add support, for tagged keys, to skcipher algorithms by > adding new transformations, with _tk_ prefix to distinguish > between plaintext and tagged keys. > > For job descriptors a new option (key_cmd_opt) was added for KEY command. > Tagged keys can be loaded using only a KEY command with ENC=1 > and the proper setting of the EKT bit. The EKT bit in the > KEY command indicates which encryption algorithm (AES-ECB or > AES-CCM) should be used to decrypt the key. These options will be kept in > key_cmd_opt. > > The tk_ transformations can be used directly by their name: > struct sockaddr_alg sa = { > .salg_family = AF_ALG, > .salg_type = "skcipher", /* this selects the symmetric cipher */ > .salg_name = "tk(cbc(aes))" /* this is the cipher name */ > }; > or for dm-crypt, e.g. using dmsetup: > dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk2p10) > crypt capi:tk(cbc(aes))-plain :32:logon:seckey 0 /dev/mmcblk2p10 0 1 > sector_size:512". How to use it with cryptsetup? I'm asking because it is not clear to me why you are not implementing a new kernel key type (KEYS subsystem) to utilize tagged keys. Many tools already support the keyctl userspace interface (cryptsetup, fscrypt, ...). -- Thanks, //richard