Anand, On Tue, Feb 14, 2017 at 11:18 AM, Anand Jain <anand.jain@xxxxxxxxxx> wrote: > > Hi Ted, > > As of now root[1] can access the plain-text when the data is cached > by the user-with-the-key and, root gets error no-key when data is > not cached by the user-with-the-key. I think this behavior is a > bug if not, wrong design, or looks like I am missing something. > > [1] for that matter any user who has read access to the files but > does not have the keys. Well, as soon the key is loaded plaintext of pages and filenames will be stored in page- and dcache and any users that can access the files will see the plaintext. If you want to keep /secret really secret you have to apply correct DAC/MAC permissions as well. Or put /secret into a private mount namespace. -- Thanks, //richard
