-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fscryptctl insert_key does not persist during switch_root #15
Comments
To mention that the root filesystem is using systemd as init, here is a log:
|
So if you run any To solve this issue, you can either:
|
@josephlr : Thanks for the hints: when using keyctl link @U @s in my initramfs I can see: During Initramfs initialization
When my rootfs is started
My partition is also decrypted and all files visible. However this is not what I want, my final goal is to have an encryted rootfs decrypted in initramfs and boot from it using switch_root. In this configuration systemd does not even start! (located in encrypted rootfs) |
I enabled systemd debugging in Kernel using
Before I do a switch_root, I can see that my rootfs is correclty decrypted
It looks like systemd is started but the encyption is somehow lost, I see many errors with
|
@embexus your input has helped me root-cause this. Thank you. Encryption keys in
However, this change was not added to |
As a workaround, |
@josephlr : thanks for the hint, but for my small embedded system GO application is NoGo, way too big. do you think this change in fscyptctl will do it ?
|
@embexus that will fix the issue. I would accept such a patch. I would probably want to also add some checking that the user keyring is accessible from the current session keyring (to prevent issues like this in the future). It would be a change to
I've recently considered adding additional functionality to However, I'd like to know more about your constrains for using |
@josephlr I testet the changes using fscryptctl with USER Keyring instead of Session Keryring (cf. Patch above) however still getting the same error! I did also the setup with my rootfs using eCryptfs and it did work ! I suspect there is an issue with systemd and keys of type logon. I have size constraints for my embedded system, initramfs should be a small as possible. fscryptctl compiled for ARM is around 17kB (stripped) fscryptctl is definitely much better suited for embedded systems and should be further maintained ;-) |
I don't know how I missed this part. Are you trying to encrypt the whole partition, or just some of the directories on the partition. Encrypting the whole partition is better suited to tools like
This is possible, but it's most likely not the type of the keys, but rather which keyring they are in. With that patch, the key will be now always be put in the user keyring (in this case, the root user's keyring). However, you still have to have the root user's keyring linked into your session keyring for everything to work. This means that any software either needs to either: This systemd limitation makes setup harder when using filesystem encryption with system files. This is why filesystem encryption is usually just used with user data (like home directories) or data directories (say a media or documents directory). We've been trying to fix it, but the real solution is probably this kernel patchset by @ebiggers.
Note that
No worries on that front, I was just considering adding functionality to |
@josephlr, I'm encrypting my whole rootfs. As I wrote before I use a Nand Flash with UBIFS so dmcrypt is not suited. eCryptfs did the Job, but I prefere using fscrypt/fscryptctl as it's lightweight, has better performance and much easier to setup.
I added
But same results.
I don't use PAM at all (disabled in Systemd)
But it does work with eCryptfs, what is the difference ?
will be great, thanks for maintaining this Software ;-) |
Ohhhh, thats interesting. I've actually not heard of this particular drawback of dmcrypt. Do you have any info about the specifics? Is it because of not wanting to encrypt the FS metadata?
Doing this should fix issues in the session when you run this command, but will not fix the issue in other sessions that don't have the user keyring linked.
I think it's a difference in the in-kernel implementation. As ecryptfs is a stacked filesystem, the key (i think it's called the FEFEK) is read at mount time (from the kernel keyring), but then is persisted for the duration mount by the kernel. But fscrypt is a not a stacked filesystem. It's just part of whatever filesystem you are using, where encrypted directories behave like eCryptfs mount points. As mount/unmount cannot be used to manage lifetimes anymore, the key lifetime (in the keyring) is used instead. The choice to use the kernel keyring at all (which is buggy, complex, and has DOS vectors) was a mistake by both eCryptfs and fscrypt, which the linked kernel patches tries to fix. I would try seeing if there's a way to just have systemd use |
Note that Linux 5.4 added support for a new encryption policy version and a new way of managing filesystem encryption keys. When used, the encryption keys are added to a filesystem keyring rather than a session keyring; this avoids problems where processes can't access encrypted files that are supposed to be unlocked. #16 will add support for this to |
@embexus now that V2 policies have been added in #16 (and support for V1 policies have been removed) I'm going to close this. Using V2 policies should resolve all of the issues you mentioned above (as well as other security/usability improvements). Please reopen if the recent changes don't resolve your issues. |
I would like to encrypt my root partition using fscrypt.
I insert the key in initramfs:
then mount my rootfs:
Finally excuting switch_root:
The last command fails since the key does not survive the switch_root probably because /proc & /sys are remounted.
Is there anyway to persist the key during this stage ?
The text was updated successfully, but these errors were encountered: