On Wed, May 27, 2020 at 06:04:57PM +0000, Johannes Thumshirn wrote: > On 27/05/2020 15:25, David Sterba wrote: > > The key for all userspace commands needs to be specified the same way as > > for kernel, ie. "--auth-key btrfs:foo" and use the appropriate ioctls to > > read the key bytes. > > Up to now I haven't been able to add a key to the kernel's keyring which > can be read back to user-space. This needs permissions on the key and I think keys from some keyrings cannot be read back even with the permissions set. There's an ioctl equivalent of 'keyctl read' which I used to emulate the reading. Setting the permissions is cumbersome, as it needs to manually craft the hexa value, but otherwise would seems a better way than either specifying the key payload on command line or storing it in a file. I've looked at other projects using keys, eg. ecryptfs-utils, it uses keyctl_read_alloc, so that seems to be the preferred way. > How about passing in a key file, like it is done in UBIFS? Should be doable > both with libsodium and libgcrypt. Keyfile would be better, that's what dm-crypt uses, but still.
