LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (https://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   Encrypted ext4 file system with Linux 4.2.3 and e2fsprogs 1.43 (WIP) (https://www.linuxquestions.org/questions/linux-kernel-70/encrypted-ext4-file-system-with-linux-4-2-3-and-e2fsprogs-1-43-wip-4175556992/)

filker0 10-23-2015 04:18 PM
Encrypted ext4 file system with Linux 4.2.3 and e2fsprogs 1.43 (WIP)
 
I have gotten the ext4 encryption working using the latest Debian Stretch updates (kernel 4.2.3 based) with a custom kernel build that has CONFIG_EXT4_FS_ENCRYPTION enabled, however I'm unhappy with the procedure. I have the latest e2fsprogs sources from kernel.org, and I know the patches that bring the kernel up to 4.2.4 do not affect this feature.

Here's what has worked:
  1. Created a new ext4 file system on a HD partition so I don't mess up my "/" ("sudo mkfs.ext4 /dev/sda4")
  2. Created a directory as the mount point for the new file system ("sudo mkdir /encrypt")
  3. Mounted the newly minted ext4 file system ("mount /dev/sda4 /encrypt")
  4. Created a parent and ser directory on the newly mounted file system ("sudo mkdir -p /encrypt/users/castsim") There will be multiple user accounts, each with a directory under "/encrypt/user".
  5. Changed ownership of the newly created user directory ("sudo chown castsim:castsim /encrypt/users/castsim")
  6. Generated salt for the key to be used for encryption ("head -c 16 /dev/random | xxd -p >salt.txt")
  7. Added a salty password to the keyring using "e4crypt" ("e2crypt add_key -S 0x`cat salt.txt`", also tried using "sudo" at the beginning of the command line). At this point I get an error from "e4crypt": "EXT4_IOC_GET_ENCRYPTION_PWSALT: Operation not supported"
  8. I then unmount the /encrypt file system ("umount /encrypt")
  9. Mount the file system on /dev/sda4 with the option "test_dummy_encryption" ("mount /dev/sda4 /encrypt -o test_dummy_encryption")
  10. Create a useless file on the mounted file system, then delete it, thus updating the super-block ("sudo touch /encrypt/delete-me; sudo rm /encrypt/delete-me")
  11. Unmount the file system, then remount it without the "test_dummy_encryption" option ("sudo umount /encrypt; sudo mount /sda4 /encrypt")
  12. Retry the "e4crypt" command ("e2crypt add_key -S 0x`cat salt.txt`"), this time it succeeds, and reports that the key associated with "/encrypt/users/castsim" is "[0887c6acbc55a34b]". I save that hex string in a file.
  13. I copy a number of files into "/encrypt/users/castsim" and make sure I can see them.
  14. Unmount the /encrypt file system and reboot.
  15. Log in and repeat the "e4crypt" command, mount the file system on "/encrypt", verify that the directory "/encrypt/users/castsim" contains files with encrypted names.
  16. Use the same "e2crypt" command line that was used to set up encryption. Verify that the directory "/encrypt/users/castsim" now contains files with the correct names and contents.

On examination of the kernel source module "fs/ext4/ioctl.c", I find that the "Operation not supported" error is because the encryption flag is not set in the "incompatible features" flags of the file system super-block. I found no way to set this through a "mkfs.ext4" option (though it may be there). The only way I've found to set the encryption support flag is to mount the file system with the option "test_dummy_encryption", create then delete a file on the file system, then dismount it.

I don't like the mount with the test option, create a file, delete the file, dismount sequence. Documenting it for others is a pain. Is there a better way of setting the "encrypt" flag in an ext4 file system super-block under Linux 4.2 with e2fsprogs 1.43?

Thanks in advance...


All times are GMT -5. The time now is 08:32 AM.