I am trying to come up with a usable configuration of ecryptfs to create a secured directory for our product to stash some of its configuration and data in. This diretory needs to be keyed to the TPM in the system in such a fashion that the directory will only be readable if it is the same system it was originally configured on. This means keying it to one or more PCR's in the TPM.
I had this working after some floundering earlier on RHEL 5.2 but so far have been unable to reproduce it on CentOS 5.2(which should have been easy). First, Could anyone please confirm for me if they have a configuration like this running on CentOS 5.2 and if so, using what versions of trousers, ecryptfs, and kernel? Second, to describe my results. Using Trousers 1.3.1 as distributed with Centos 5.2, and ecryptfs-utils 41, (this is the version shipped with 5.2, however it was necessary to download the sourcecode and reconfigure with the --with-tspi parameter. Then the following is done to prepare to mount the directory. modprobe tpm_tis /usr/sbin/tcsd modprobe ecryptfs /usr/bin/ecryptfsd Then I generate a key using pcr 1 and note the uuid in the output using: ecryptfs-generate-tpm-key -p 1 Then I mount a ecryptfs filesystem: mount -t ecryptfs /secret /secret and select option 3. tspi, provide the uuid from above, and accept defaults for the rest of the prompts, Here's how that goes # mount -t ecryptfs /secret /secret Select key type to use for newly created files: 1) passphrase 2) openssl 3) tspi Selection: 3 uuid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n): n Attempting to mount with the following options: ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=60f028ebb293325a Mounted eCryptfs This all goes fine. I then create a test file in the /secret directory and as expected there is a slight pause, and the file is created. I can turn around at cat out the test file and it shows the expected contents. I then unmount the directory and cat the file again and as expected get gibrish. I then re-mount the directory, using the same procedure as above but am unable to decrypt the file. Upon attempting to cat the file out I get cat: /secret/test: Input/output error messages following this shows the following. Jul 1 10:09:42 localhost ecryptfsd: Tspi_Data_Unseal failed: [Bad input size] Jul 1 10:09:42 localhost ecryptfsd: Failed to get size for decrypted key Jul 1 10:09:42 localhost ecryptfsd: Failed to decrypt key; rc = [-5] Jul 1 10:09:42 localhost kernel: Failed to parse tag 65 packet; rc = [-5] Jul 1 10:09:42 localhost kernel: ecryptfs_parse_packet_set: Error decrypting the session key for authentication token with sig []; rc = [-5]. Removing auth tok candidate from the list and searching for the next match. Jul 1 10:09:42 localhost kernel: ecryptfs_parse_packet_set: Could not find a usable authentication token Jul 1 10:09:42 localhost kernel: Error attempting to read the [user.ecryptfs] xattr from the lower file; return value = [4294967235] Jul 1 10:09:42 localhost kernel: Attempt to read file that is not in a valid eCryptfs format, and plaintext passthrough mode is not enabled; returning -EIO Its unclear to me if this is a trousers or an ecryptfs issue. Thankyou to the developers who were trying to help me in IRC, and I promise to return later and help with testing the bleeding edge in any way I can, however I need to get this back to the configuration I had working a few weeks ago on a pretty much stock Redhat EL system. Any input from someone running a similar configuration, or seeing something in my procedure or results would be greatly appreciated. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ eCryptfs-users mailing list eCryptfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
