I have tested ecryptfs on Fedora 9 and I don't understand, why the files of a crypted diretory are readable when the directory is mounted with a wrong passphrase.
I did the following (lines which begin with [EMAIL PROTECTED] are input from a user, with [EMAIL PROTECTED] are input from root, lines which > are output and lines with # are comments): [EMAIL PROTECTED]: mkdir /tmp/test [EMAIL PROTECTED]: mount -t ecryptfs /tmp/test /tmp/test >Select key type to use for newly created files: > 1) passphrase > 2) openssl >Selection: [EMAIL PROTECTED]: 1 > Passphrase: [EMAIL PROTECTED]: test > Verify Passphrase: [EMAIL PROTECTED]: test >Select cipher: > 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) > 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) >Selection [aes]: [EMAIL PROTECTED]: <return> >Select key bytes: > 1) 16 > 2) 32 > 3) 24 >Selection [16]: [EMAIL PROTECTED]: <return> >Enable plaintext passthrough (y/n): [EMAIL PROTECTED]: n >Attempting to mount with the following options: > ecryptfs_key_bytes=16 > ecryptfs_cipher=aes > ecryptfs_sig=d395309aaad4de06 >WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], >it looks like you have never mounted with this key >before. This could mean that you have typed your >passphrase wrong. > >Would you like to proceed with the mount (yes/no)? [EMAIL PROTECTED]: yes >Would you like to append sig [d395309aaad4de06] to >[/root/.ecryptfs/sig-cache.txt] >in order to avoid this warning in the future (yes/no)? [EMAIL PROTECTED]: yes >Successfully appended new sig to user sig cache file >Mounted eCryptfs [EMAIL PROTECTED]: echo Hello > /tmp/test/Test [EMAIL PROTECTED]: cat /tmp/test/Test > Hello [EMAIL PROTECTED]: umount /tmp/test # The file /tmp/test/Test is not readyble anymore # (only crypted text). [EMAIL PROTECTED]: mount -t ecryptfs /tmp/test /tmp/test >Select key type to use for newly created files: > 1) passphrase > 2) openssl >Selection: [EMAIL PROTECTED]: 1 > Passphrase: [EMAIL PROTECTED]: ZZZ # The passphrase is wrong! >Verify Passphrase: [EMAIL PROTECTED]: ZZZ >Select cipher: > 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) > 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) > 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) >Selection [aes]: [EMAIL PROTECTED]: <return> >Select key bytes: > 1) 16 > 2) 32 > 3) 24 >Selection [16]: [EMAIL PROTECTED]: <return> > Enable plaintext passthrough (y/n): [EMAIL PROTECTED]: n >Attempting to mount with the following options: > ecryptfs_key_bytes=16 > ecryptfs_cipher=aes > ecryptfs_sig=59c481ccf04080d4 >WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], >it looks like you have never mounted with this key >before. This could mean that you have typed your >passphrase wrong. > >Would you like to proceed with the mount (yes/no)? [EMAIL PROTECTED]: yes >Would you like to append sig [59c481ccf04080d4] to >[/root/.ecryptfs/sig-cache.txt] >in order to avoid this warning in the future (yes/no)? [EMAIL PROTECTED]: no >Not adding sig to user sig cache file; continuing with mount. >Mounted eCryptfs [EMAIL PROTECTED]: cat /tmp/test/Test > Hello Why is the file /tmp/test/Test readable although root gave the wrong passphrase? Dietmar ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ eCryptfs-users mailing list eCryptfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
