You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to setup two protectors against a single policy with key files, but it seems it doesn't work.
Preparations
root@client:~# dd if=/dev/zero of=/tmp/file bs=1M count=100
root@client:~# mkfs.ext4 -O encrypt /tmp/file
root@client:~# mkdir /mnt/ext4
root@client:~# mount -o loop /tmp/file /mnt/ext4
root@client:~# fscrypt setup /mnt/ext4/
root@client:~# fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1
MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ /dev/sda2 ext4 not enabled No
/boot/efi /dev/sda1 vfat not supported No
/mnt/ext4 /dev/loop0 ext4 supported Yes
Generates two key and create protectors with each key.
root@client:~# head --bytes=32 /dev/urandom > key1
root@client:~# head --bytes=32 /dev/urandom > key2
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key1 --source=raw_key --key=key1 --quiet
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key2 --source=raw_key --key=key2 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
69ac0e788e88b060 No raw key protector "key2"
c198cb2e6ceb4a12 No raw key protector "key1"
Create policy with protector for key1
root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:c198cb2e6ceb4a12 --key=key1 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
69ac0e788e88b060 No raw key protector "key2"
c198cb2e6ceb4a12 No raw key protector "key1"
POLICY UNLOCKED PROTECTORS
5c52cd53dbc5a3ae2895b6ce501e4ce2 No c198cb2e6ceb4a12
Finally, Add another protector "key2" to same policy, but it fails
when I setup protector with passphrase instead of binary key, it works below. But, it also asked passphrase for key1.
However, I can't any options in "fscrypt metadata add-protector-to-policy" to specify key file which is already added in policy.
Any ideas "fscrypt metadata add-protector-to-policy" command works in key files rather than passphrase?
root@client:~# fscrypt metadata create protector /mnt/ext4
root@client:~# fscrypt metadata create protector /mnt/ext4
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
8b77fdf8f50a01bb No custom protector "key2"
fa4082fa69ceb902 No custom protector "key1"
root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:fa4082fa69ceb902
Enter custom passphrase for protector "key1":
Create new policy on "/mnt/ext4" [Y/n]
Policy 9ae0b91b668b03113fa52add93c29ff6 created on filesystem "/mnt/ext4".
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
8b77fdf8f50a01bb No custom protector "key2"
fa4082fa69ceb902 No custom protector "key1"
POLICY UNLOCKED PROTECTORS
9ae0b91b668b03113fa52add93c29ff6 No fa4082fa69ceb902
root@client:~# fscrypt metadata add-protector-to-policy --protector=/mnt/ext4:8b77fdf8f50a01bb --policy=/mnt/ext4:9ae0b91b668b03113fa52add93c29ff6
WARNING: All files using this policy will be accessible with this protector!!
Protect policy 9ae0b91b668b03113fa52add93c29ff6 with protector 8b77fdf8f50a01bb? [Y/n]
Enter custom passphrase for protector "key2":
Enter custom passphrase for protector "key1":
Protector 8b77fdf8f50a01bb now protecting policy 9ae0b91b668b03113fa52add93c29ff6.
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
8b77fdf8f50a01bb No custom protector "key2"
fa4082fa69ceb902 No custom protector "key1"
POLICY UNLOCKED PROTECTORS
9ae0b91b668b03113fa52add93c29ff6 No fa4082fa69ceb902, 8b77fdf8f50a01bb
The text was updated successfully, but these errors were encountered:
I'm trying to setup two protectors against a single policy with key files, but it seems it doesn't work.
Preparations
Generates two key and create protectors with each key.
Create policy with protector for key1
Finally, Add another protector "key2" to same policy, but it fails
when I setup protector with passphrase instead of binary key, it works below. But, it also asked passphrase for key1.
However, I can't any options in "fscrypt metadata add-protector-to-policy" to specify key file which is already added in policy.
Any ideas "fscrypt metadata add-protector-to-policy" command works in key files rather than passphrase?
The text was updated successfully, but these errors were encountered: