Submit
Path:
~
/
/
usr
/
share
/
doc
/
cryptsetup
/
File Content:
Keyring.txt
Integration with kernel keyring service --------------------------------------- We have two different use cases for kernel keyring service: I) Volume keys Since upstream kernel 4.10 dm-crypt device mapper target allows loading volume key (VK) in kernel keyring service. The key offloaded in kernel keyring service is only referenced (by key description) in dm-crypt target and the VK is therefore no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the feature is available). Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in thread keyring (before passing the reference to dm-crypt target) so that the key lifetime is directly bound to the process that performs the dm-crypt setup. When cryptsetup process exits (for whatever reason) the key gets unlinked in kernel automatically. In summary, the key description visible in dm-crypt table line is a reference to VK that usually no longer exists in kernel keyring service if you used cryptsetup to for device activation. Using this feature dm-crypt no longer maintains a direct key copy (but there's always at least one copy in kernel crypto layer). II) Keyslot passphrase The second use case for kernel keyring is to allow cryptsetup reading the keyslot passphrase stored in kernel keyring instead. The user may load passphrase in kernel keyring and notify cryptsetup to read it from there later. Currently, cryptsetup cli supports kernel keyring for passphrase only via LUKS2 internal token (luks2-keyring). Library also provides a general method for device activation by reading passphrase from keyring: crypt_activate_by_keyring(). The key type for use case II) must always be 'user' since we need to read the actual key data from userspace unlike with VK in I). Ability to read keyslot passphrase from kernel keyring also allows easily auto-activate LUKS2 devices. Simple example how to use kernel keyring for keyslot passphrase: 1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image) cryptsetup token add --key-description my:key -S 0 /dev/device 2) Load keyslot passphrase in user keyring read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u 3) Activate device using passphrase stored in kernel keyring cryptsetup open /dev/device my_unlocked_device 4a) unlink the key when no longer needed by keyctl unlink %user:my:key @u 4b) or revoke it immediately by keyctl revoke %user:my:key If cryptsetup asks for passphrase in step 3) something went wrong with keyring activation. See --debug output then.
Edit
Rename
Chmod
Delete
FILE
FOLDER
INFO
Name
Size
Permission
Action
examples
---
0755
AUTHORS
137 bytes
0644
FAQ.gz
48990 bytes
0644
Keyring.txt
2724 bytes
0644
LUKS2-locking.txt
2711 bytes
0644
NEWS.Debian.gz
1057 bytes
0644
README.Debian.gz
5680 bytes
0644
README.debug
2731 bytes
0644
README.gnupg
1848 bytes
0644
README.gnupg-sc
2354 bytes
0644
README.keyctl
3583 bytes
0644
README.md.gz
2223 bytes
0644
README.opensc.gz
2219 bytes
0644
changelog.Debian.gz
2251 bytes
0644
copyright
9292 bytes
0644
v1.0.7-ReleaseNotes
2921 bytes
0644
v1.1.0-ReleaseNotes.gz
2275 bytes
0644
v1.1.1-ReleaseNotes
1796 bytes
0644
v1.1.2-ReleaseNotes
1594 bytes
0644
v1.1.3-ReleaseNotes
482 bytes
0644
v1.2.0-ReleaseNotes.gz
2124 bytes
0644
v1.3.0-ReleaseNotes.gz
2134 bytes
0644
v1.3.1-ReleaseNotes
421 bytes
0644
v1.4.0-ReleaseNotes.gz
2253 bytes
0644
v1.4.1-ReleaseNotes
889 bytes
0644
v1.4.2-ReleaseNotes
1630 bytes
0644
v1.4.3-ReleaseNotes
2359 bytes
0644
v1.5.0-ReleaseNotes.gz
3320 bytes
0644
v1.5.1-ReleaseNotes
1295 bytes
0644
v1.6.0-ReleaseNotes.gz
3818 bytes
0644
v1.6.1-ReleaseNotes
1041 bytes
0644
v1.6.2-ReleaseNotes
985 bytes
0644
v1.6.3-ReleaseNotes
1859 bytes
0644
v1.6.4-ReleaseNotes
2036 bytes
0644
v1.6.5-ReleaseNotes
2479 bytes
0644
v1.6.6-ReleaseNotes
1093 bytes
0644
v1.6.7-ReleaseNotes
3333 bytes
0644
v1.6.8-ReleaseNotes
2061 bytes
0644
v1.7.0-ReleaseNotes
3101 bytes
0644
v1.7.1-ReleaseNotes
1371 bytes
0644
v1.7.2-ReleaseNotes
1487 bytes
0644
v1.7.3-ReleaseNotes
811 bytes
0644
v1.7.4-ReleaseNotes
657 bytes
0644
v1.7.5-ReleaseNotes
833 bytes
0644
v2.0.0-ReleaseNotes.gz
9728 bytes
0644
v2.0.1-ReleaseNotes.gz
2226 bytes
0644
v2.0.2-ReleaseNotes.gz
1992 bytes
0644
v2.0.3-ReleaseNotes.gz
2448 bytes
0644
v2.0.4-ReleaseNotes.gz
2325 bytes
0644
v2.0.5-ReleaseNotes.gz
2068 bytes
0644
v2.0.6-ReleaseNotes.gz
1960 bytes
0644
v2.1.0-ReleaseNotes.gz
3484 bytes
0644
v2.2.0-ReleaseNotes.gz
4582 bytes
0644
v2.2.1-ReleaseNotes
1413 bytes
0644
v2.2.2-ReleaseNotes
2151 bytes
0644
v2.3.0-ReleaseNotes.gz
3250 bytes
0644
v2.3.1-ReleaseNotes
1770 bytes
0644
v2.3.2-ReleaseNotes
1499 bytes
0644
v2.3.3-ReleaseNotes
1396 bytes
0644
v2.3.4-ReleaseNotes.gz
2001 bytes
0644
v2.3.5-ReleaseNotes.gz
3129 bytes
0644
v2.3.6-ReleaseNotes
2316 bytes
0644
v2.4.0-ReleaseNotes.gz
4766 bytes
0644
v2.4.1-ReleaseNotes
1942 bytes
0644
v2.4.2-ReleaseNotes
1375 bytes
0644
v2.4.3-ReleaseNotes.gz
1996 bytes
0644
N4ST4R_ID | Naxtarrr
