Thanks for your explanation and time. OK. At a first think I also expected access contol to crypted files is managed by unix permissions/POSIX-ACL's.
But then user2 should be able to access and use any file/directory for which user1 keeps the right key in his keyring and user2 has the needed permissions/ACL's. My reality is another: user1 has to access files/directories first so that user2 can write to them - expect I link the key of user1 into keyring of user2. Using user or session based keys suggests me no other session/user is able to take advantage of them. It seems to me as the following - permissions/ACL's controls the access rights to en-/decrypted filesystem objects - each object (file/directory) hast o be decrypted by the keyowner before other (permission/ACL's enabled) users can access encrypted content Did I understand it right now? This results in different views to an encrypted folder by third users dependent on the keyholders behaviour in this folder. Thats not intuitive and makes it hard to debug. My usecase is a crypted folder on an external storage shared by local and remote samba users. So I have to add the decryption-key to one user an link it to all th others. Mit freundlichen Grüßen / Kind regards Ronny Seffner -- Ronny Seffner | Alter Viehweg 1 | 01665 Klipphausen www.seffner.de | ro...@seffner.de | +49 35245 72950 7EA62E22D9CC4F0B74DCBCEA864623A568694DB8