Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"fscrypt metadata add-protector-to-policy" doesn't work in key files #374

Open
sihara opened this issue Feb 21, 2023 · 2 comments
Open

"fscrypt metadata add-protector-to-policy" doesn't work in key files #374

sihara opened this issue Feb 21, 2023 · 2 comments
Labels

Comments

@sihara
Copy link

sihara commented Feb 21, 2023

I'm trying to setup two protectors against a single policy with key files, but it seems it doesn't work.

Preparations

root@client:~# dd if=/dev/zero of=/tmp/file bs=1M count=100
root@client:~# mkfs.ext4 -O encrypt /tmp/file 
root@client:~# mkdir /mnt/ext4
root@client:~# mount -o loop /tmp/file /mnt/ext4


root@client:~# fscrypt setup /mnt/ext4/
root@client:~# fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1

MOUNTPOINT  DEVICE      FILESYSTEM  ENCRYPTION     FSCRYPT
/           /dev/sda2   ext4        not enabled    No
/boot/efi   /dev/sda1   vfat        not supported  No
/mnt/ext4   /dev/loop0  ext4        supported      Yes

Generates two key and create protectors with each key.

root@client:~# head --bytes=32 /dev/urandom > key1
root@client:~# head --bytes=32 /dev/urandom > key2
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key1 --source=raw_key --key=key1 --quiet
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key2 --source=raw_key --key=key2 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
69ac0e788e88b060  No      raw key protector "key2"
c198cb2e6ceb4a12  No      raw key protector "key1"

Create policy with protector for key1

root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:c198cb2e6ceb4a12 --key=key1 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
69ac0e788e88b060  No      raw key protector "key2"
c198cb2e6ceb4a12  No      raw key protector "key1"

POLICY                            UNLOCKED  PROTECTORS
5c52cd53dbc5a3ae2895b6ce501e4ce2  No        c198cb2e6ceb4a12

Finally, Add another protector "key2" to same policy, but it fails

root@client:~# fscrypt metadata add-protector-to-policy --protector=/mnt/ext4:69ac0e788e88b060 --policy=/mnt/ext4:5c52cd53dbc5a3ae2895b6ce501e4ce2 --key=key2 --quiet
[ERROR] fscrypt metadata add-protector-to-policy: incorrect key provided

when I setup protector with passphrase instead of binary key, it works below. But, it also asked passphrase for key1.
However, I can't any options in "fscrypt metadata add-protector-to-policy" to specify key file which is already added in policy.
Any ideas "fscrypt metadata add-protector-to-policy" command works in key files rather than passphrase?

root@client:~# fscrypt metadata create protector /mnt/ext4
root@client:~# fscrypt metadata create protector /mnt/ext4

root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"


root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:fa4082fa69ceb902
Enter custom passphrase for protector "key1":  
Create new policy on "/mnt/ext4" [Y/n]
Policy 9ae0b91b668b03113fa52add93c29ff6 created on filesystem "/mnt/ext4".

root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"

POLICY                            UNLOCKED  PROTECTORS
9ae0b91b668b03113fa52add93c29ff6  No        fa4082fa69ceb902

root@client:~# fscrypt metadata add-protector-to-policy --protector=/mnt/ext4:8b77fdf8f50a01bb --policy=/mnt/ext4:9ae0b91b668b03113fa52add93c29ff6
WARNING: All files using this policy will be accessible with this protector!!
Protect policy 9ae0b91b668b03113fa52add93c29ff6 with protector 8b77fdf8f50a01bb? [Y/n]
Enter custom passphrase for protector "key2":
Enter custom passphrase for protector "key1":
Protector 8b77fdf8f50a01bb now protecting policy 9ae0b91b668b03113fa52add93c29ff6.


root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"

POLICY                            UNLOCKED  PROTECTORS
9ae0b91b668b03113fa52add93c29ff6  No        fa4082fa69ceb902, 8b77fdf8f50a01bb
@ebiggers ebiggers added the bug label Feb 21, 2023
@ebiggers
Copy link
Collaborator

It looks like a new option needs to be added to allow specifying the key that unlocks the policy separately from the key that unlocks the protector.

@Saloni-Patidar04
Copy link

Saloni-Patidar04 commented May 6, 2024

@ebiggers Any way to fix this while we use, quiet mode and raw keys?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants