search

google / fscrypt

Go tool for managing Linux filesystem encryption
Apache License 2.0
876 stars 97 forks source link

"fscrypt metadata add-protector-to-policy" doesn't work in key files #374

Open sihara opened 1 year ago

sihara commented 1 year ago

I'm trying to setup two protectors against a single policy with key files, but it seems it doesn't work.

Preparations

root@client:~# dd if=/dev/zero of=/tmp/file bs=1M count=100
root@client:~# mkfs.ext4 -O encrypt /tmp/file 
root@client:~# mkdir /mnt/ext4
root@client:~# mount -o loop /tmp/file /mnt/ext4

root@client:~# fscrypt setup /mnt/ext4/
root@client:~# fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1

MOUNTPOINT  DEVICE      FILESYSTEM  ENCRYPTION     FSCRYPT
/           /dev/sda2   ext4        not enabled    No
/boot/efi   /dev/sda1   vfat        not supported  No
/mnt/ext4   /dev/loop0  ext4        supported      Yes

Generates two key and create protectors with each key.

root@client:~# head --bytes=32 /dev/urandom > key1
root@client:~# head --bytes=32 /dev/urandom > key2
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key1 --source=raw_key --key=key1 --quiet
root@client:~# fscrypt metadata create protector /mnt/ext4 --name=key2 --source=raw_key --key=key2 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
69ac0e788e88b060  No      raw key protector "key2"
c198cb2e6ceb4a12  No      raw key protector "key1"

Create policy with protector for key1

root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:c198cb2e6ceb4a12 --key=key1 --quiet
root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
69ac0e788e88b060  No      raw key protector "key2"
c198cb2e6ceb4a12  No      raw key protector "key1"

POLICY                            UNLOCKED  PROTECTORS
5c52cd53dbc5a3ae2895b6ce501e4ce2  No        c198cb2e6ceb4a12

Finally, Add another protector "key2" to same policy, but it fails

root@client:~# fscrypt metadata add-protector-to-policy --protector=/mnt/ext4:69ac0e788e88b060 --policy=/mnt/ext4:5c52cd53dbc5a3ae2895b6ce501e4ce2 --key=key2 --quiet
[ERROR] fscrypt metadata add-protector-to-policy: incorrect key provided

when I setup protector with passphrase instead of binary key, it works below. But, it also asked passphrase for key1. However, I can't any options in "fscrypt metadata add-protector-to-policy" to specify key file which is already added in policy. Any ideas "fscrypt metadata add-protector-to-policy" command works in key files rather than passphrase?

root@client:~# fscrypt metadata create protector /mnt/ext4
root@client:~# fscrypt metadata create protector /mnt/ext4

root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 0 policies.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"

root@client:~# fscrypt metadata create policy /mnt/ext4 --protector=/mnt/ext4:fa4082fa69ceb902
Enter custom passphrase for protector "key1":  
Create new policy on "/mnt/ext4" [Y/n]
Policy 9ae0b91b668b03113fa52add93c29ff6 created on filesystem "/mnt/ext4".

root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"

POLICY                            UNLOCKED  PROTECTORS
9ae0b91b668b03113fa52add93c29ff6  No        fa4082fa69ceb902

root@client:~# fscrypt metadata add-protector-to-policy --protector=/mnt/ext4:8b77fdf8f50a01bb --policy=/mnt/ext4:9ae0b91b668b03113fa52add93c29ff6
WARNING: All files using this policy will be accessible with this protector!!
Protect policy 9ae0b91b668b03113fa52add93c29ff6 with protector 8b77fdf8f50a01bb? [Y/n]
Enter custom passphrase for protector "key2":
Enter custom passphrase for protector "key1":
Protector 8b77fdf8f50a01bb now protecting policy 9ae0b91b668b03113fa52add93c29ff6.

root@client:~# fscrypt status /mnt/ext4
ext4 filesystem "/mnt/ext4" has 2 protectors and 1 policy.
Only root can create fscrypt metadata on this filesystem.

PROTECTOR         LINKED  DESCRIPTION
8b77fdf8f50a01bb  No      custom protector "key2"
fa4082fa69ceb902  No      custom protector "key1"

POLICY                            UNLOCKED  PROTECTORS
9ae0b91b668b03113fa52add93c29ff6  No        fa4082fa69ceb902, 8b77fdf8f50a01bb
ebiggers commented 1 year ago

It looks like a new option needs to be added to allow specifying the key that unlocks the policy separately from the key that unlocks the protector.

Saloni-Patidar04 commented 2 months ago

@ebiggers Any way to fix this while we use, quiet mode and raw keys?