The 'encrypted' key type defines its own payload format which contains a
symmetric key randomly generated that cannot be used directly to mount
an eCryptfs filesystem, because it expects an authentication token
This patch introduces the new format 'ecryptfs' that allows to store an
authentication token structure inside the encrypted key payload containing
a randomly generated symmetric key, as the same for the format 'default'.
More details about the usage of encrypted keys with the eCryptfs
filesystem can be found in the file 'Documentation/keys-ecryptfs.txt'.
Signed-off-by: Roberto Sassu <firstname.lastname@example.org>
Documentation/keys-ecryptfs.txt | 60 +++++++++++++++++++++
Documentation/keys-trusted-encrypted.txt | 6 ++-
security/keys/Makefile | 2 +-
security/keys/encrypted_defined.c | 83 +++++++++++++++++++++++++++---
security/keys/keys_ecryptfs.c | 81 +++++++++++++++++++++++++++++
security/keys/keys_ecryptfs.h | 30 +++++++++++
6 files changed, 252 insertions(+), 10 deletions(-)
create mode 100644 Documentation/keys-ecryptfs.txt
create mode 100644 security/keys/keys_ecryptfs.c
create mode 100644 security/keys/keys_ecryptfs.h
diff --git a/Documentation/keys-ecryptfs.txt b/Documentation/keys-ecryptfs.txt
new file mode 100644
@@ -0,0 +1,60 @@
+ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
+file using a randomly generated File Encryption Key (FEK).
+Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK)
+either in kernel space or in user space with a daemon called 'ecryptfsd'. In
+the former case the operation is performed directly by the kernel CryptoAPI
+using a key, the FEFEK, derived from a user prompted passphrase; in the latter
+the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
+to support other mechanisms ...