File operation on eCryptfs mounted with tpm_keyring.

Hi.

I have some problem using TPM_keyring and eCryptfs.

I am using Linux kernel 2.6.17.14, eCryptfs-20060927, trousers-0.2.8, and 
tpm_keyring2-0.1.

I mounted ecryptfs with '-o key=tpm:uuid=' option.
I successed mount, but I can't open/write file at mounted location.

Specifically, my sequence was following.

$ mount -t ecryptfs efs1/ efs2/ -o key=tpm:uuid=(the 20bytes from 
tpm_keyring)
$ cd efs2/
$ vim test_file

When I try to open test_file, it is just read-only mode.
But, if I mount ecryptfs with passphrase not tpm option,
I can read/write/open file at mounted location, efs2/.

Is it alright? 
I want to read/write/open file at mounted location.

Thanks for your help.

_ Yunju Na.

_________________________________________________________________
특별한 누군가를 찾고 싶다면 MSN 친구사귀기!  

Re: File operation on eCryptfs mounted with tpm_keyring.

On Fri, Aug 10, 2007 at 03:27:42AM +0900, ?? ???? wrote:
> I have some problem using TPM_keyring and eCryptfs.

The TPM key module support is broken in recent releases of the
eCryptfs utils package; this is why the TPM key module is not shipped
with the ecryptfs-utils package today. We are in the process of
updating that module and integrating it into the main ecryptfs-utils
package. I will make an announcement on this list when it is
available.

Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
eCryptfs-users mailing list
eCryptfs-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users

Re: File operation on eCryptfs mounted with tpm_keyring.

> > I have some problem using TPM_keyring and eCryptfs.
>
>The TPM key module support is broken in recent releases of the
>eCryptfs utils package; this is why the TPM key module is not shipped
>with the ecryptfs-utils package today. We are in the process of
>updating that module and integrating it into the main ecryptfs-utils
>package. I will make an announcement on this list when it is
>available.
>
>Mike

Thanks for your answer.

As your comments, recent releases of the eCryptfs doesn't include TPM key 
module.
So I used old version that released before kernel 2.6.19 (included eCryptfs 
module).
Is that version also doesn't work well?

I'm testing now on kernel 2.6.17.14 and ecryptfs released on 2006/09/27. 

And I hope TPM key module support is available soon. :)
Thank you. 

_ Yunju Na.

_________________________________________________________________
보다 빠른 소식, 보다 빠른 정보, MSN 뉴스에서 확인하세요. 
http://news.msn.co.kr/ 

How to seal a partition to a TPM by using ecryptfs

Hello,

I would like to use trousers to seal (or bind) my root partition to my TPM.

I have installed trousers and tpm-tools on a Fujitsu-Siemens ST5020 
Tablet-PC (which contains an Infineon 1.1 TPM hardware).
I am running on Gentoo Linux with a 2.6.21-r4 kernel.

At this point, some questions appeared:

1. I found ecryptfs (http://ecryptfs.sourceforge.net) to be the only 
Crypto-FS, that supports a TPM currently, is that true?

2. I know, that at this point ecryptfs tpm support is not working. are 
there any older versions which used to work? If so, please tell me the 
versions of ecryptfs and trousers.

3. In this tutorial 
(http://trousers.sourceforge.net/tpm_keyring2/quickstart.html) setting 
up the TPM Keyring is shown by using a KDE-Application. I don't have X 
installed, and perhaps someone could explain the basic ideas behind it, 
so i could do this on the command line.

As I said, my final goal is to seal my root partition to my TPM.

I already know that certain applications and the BIOS itself can create 
hashes for important files and hand them over to the TPM, where they are 
stored in PCRs. (or does the TPM calculate the hashes itself, i'm not 
quite sure...)
Maybe at is possible to seal the encrypted partition to these PCRs.

thread specific,process specific keyring

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
eCryptfs-users mailing list
eCryptfs-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users

Home folder encryption how-to?

Hi all: I've considered several options to secure my data. The ideal solution 
would be to encrypt my home folder. I use Kubuntu Feisty 7.04. I understand 
that ecryptfs is buit into the kernel and I've downloaded the ecryptfs 
utilities. I've read the README and did some research on Google, but I really 
can't wrap my brain around this. Has anyone written a step by step how-to on 
this?

Thanks!

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: Home folder encryption how-to?

On Tue, Aug 21, 2007 at 10:10:32AM -0700, help.me.spam.me <at> gmail.com wrote:
> Hi all: I've considered several options to secure my data. The ideal
> solution would be to encrypt my home folder. I use Kubuntu Feisty
> 7.04. I understand that ecryptfs is buit into the kernel and I've
> downloaded the ecryptfs utilities. I've read the README and did some
> research on Google, but I really can't wrap my brain around
> this. Has anyone written a step by step how-to on this?

Assuming you've install the ecryptfs-utils package, as root, run:

mount -t ecryptfs /home/user /home/user

Then log in as the user. Make sure only eCryptfs-encrypted files are
in /home/user when you do that.

That's the easy answer. There are several other things you could do,
depending on what kind of user experience you are after. For instance,
in the IBM Open Client Linux distro, a ~/Confidential/ directory is
mounted automatically when the user logs in, using his login
passphrase to unwrap a mount passphrase, with the help of a PAM
module. You could play a few games to get that to work on the actual
home directory (i.e., leave .bash_profile unencrypted and use
plaintext passthrough mount mode).

Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
eCryptfs-users mailing list
eCryptfs-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users

Re: Home folder encryption how-to?

On Tue, Aug 21, 2007 at 12:49:16PM -0500, Michael Halcrow wrote:
> For instance, in the IBM Open Client Linux distro, a ~/Confidential/
> directory is mounted automatically when the user logs in, using his
> login passphrase to unwrap a mount passphrase, with the help of a
> PAM module.

I just posted the guide for setting that up here:

http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
eCryptfs-users mailing list
eCryptfs-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users

Re: Home folder encryption how-to?

On Tuesday 21 August 2007 10:59:18 Michael Halcrow wrote:
> On Tue, Aug 21, 2007 at 12:49:16PM -0500, Michael Halcrow wrote:
> > For instance, in the IBM Open Client Linux distro, a ~/Confidential/
> > directory is mounted automatically when the user logs in, using his
> > login passphrase to unwrap a mount passphrase, with the help of a
> > PAM module.
>
> I just posted the guide for setting that up here:
>
> http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt

Mike - Thanks for your very quick reply. I think I follow the logic. My ideal 
scenario would be for a user to log in and have the entire home directory 
encrypted (mail, firefox, etc.). I am looking for a transparent user 
experience, but I am still not quite sure how to accomplish this. Your 
instructions assume a separate confidential folder and no pre-existing files 
within that folder. 
These are the steps that I see would need to happen in my case:
One time only
1. User is logged out
2. Root logs in and moves /home/user content to another folder
3. Root mount -t ecryptfs /home/user /home/user
4. Root moves content back to /home/user (encryption happens at this time?!)
All consecutive times - manual option
1. User is logged out
2. Root logs in and mount -t ecryptfs /home/user /home/user
3. User logs in
All consecutive times - automatic option
1. User logs in
In order for the automatic option to work, the .profile can not be encrypted?! 
I am not sure how to do this. I am also not sure how to use plaintext 
passthrough mount mode. Is there anything else?
I also have a questions about the mount passphrase signature/identifier value. 
It gets entered into the /etc/fstab for automount. Is this a potential 
security risk, if the hard drive gets lost?  

Thanks again!

--

-- 
Tim

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: Home folder encryption how-to?

On Tue, Aug 21, 2007 at 12:52:29PM -0700, help.me.spam.me <at> gmail.com wrote:
> Mike - Thanks for your very quick reply. I think I follow the logic. My ideal 
> scenario would be for a user to log in and have the entire home directory 
> encrypted (mail, firefox, etc.). I am looking for a transparent user 
> experience, but I am still not quite sure how to accomplish this. Your 
> instructions assume a separate confidential folder and no pre-existing files 
> within that folder. 
> These are the steps that I see would need to happen in my case:
> One time only
> 1. User is logged out
> 2. Root logs in and moves /home/user content to another folder
> 3. Root mount -t ecryptfs /home/user /home/user
> 4. Root moves content back to /home/user (encryption happens at this
> time?!)

Yes.

> All consecutive times - manual option
> 1. User is logged out
> 2. Root logs in and mount -t ecryptfs /home/user /home/user
> 3. User logs in
> All consecutive times - automatic option
> 1. User logs in
> In order for the automatic option to work, the .profile can not be encrypted?! 
> I am not sure how to do this. I am also not sure how to use plaintext 
> passthrough mount mode. Is there anything else?

It should work with the ``passthrough'' mount option in the set of
options in the fstab. Just keep .bash_profile in there in unencrypted
form. Create the .bash_profile in the directory while it is not
eCryptfs-mounted to begin with, mount eCryptfs, and then create all
other files.

> I also have a questions about the mount passphrase signature/identifier value. 
> It gets entered into the /etc/fstab for automount. Is this a potential 
> security risk, if the hard drive gets lost?  

No. FYI, this same value is also written to the header of every
encrypted file.

Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
eCryptfs-users mailing list
eCryptfs-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users