4

I am trying to mount an fs with ecryptfs in a program in C. But I don't manage to give to the kernel part the key

int mount_crypt(char* source)
{
  int   r     = -1;
  char  opt[1024] = "ecryptfs_sig=f83de0de4ecccbb1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16";

  r = mount(source, source, "ecryptfs", MS_MGC_VAL, opt);
  if (r != 0)
    {
      perror("EErrr mount cry");
      printf("Error mount cry: %d\n", r);
    }
  return (r);
}

In /var/log/messages :

process_request_key_err: No key
One or more global auth toks could not properly register; rc = [-2]

I try with this in the opt string :

key=passphrase:passphrase_passwd=MYPASSS

but It doesn't work

with :

int  icloud_mount_crypt(char* source)
{
  int   r     = -1;
  char  opt[1024] = "key=passphrase:passphrase_passwd=XXXXXX,ecryptfs_sig=f83de0de4ecccbb1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16";

  r = mount(source, source, "ecryptfs", MS_MGC_VAL, opt);
  if (r != 0)
    {
      perror("EErrr mount cry");
      printf("Error mount cry: %d\n", r);
    }
  return (r);
}

Here the log :

Feb 15 11:15:41 nightmare kernel: [2847133.493005] ecryptfs_parse_options: eCryptfs: unrecognized option [key=passphrase:passphrase_passwd=XXXXXX]
Feb 15 11:15:41 nightmare kernel: [2847133.493022] Could not find key with description: [f83de0de4ecccbb1]
Feb 15 11:15:41 nightmare kernel: [2847133.493028] process_request_key_err: No key
Feb 15 11:15:41 nightmare kernel: [2847133.493032] Could not find valid key in user session keyring for sig specified in mount option: [f83de0de4ecccbb1]
Feb 15 11:15:41 nightmare kernel: [2847133.493035] One or more global auth toks could not properly register; rc = [-2]
Feb 15 11:15:41 nightmare kernel: [2847133.493039] Error parsing options; rc = [-2]

Thanks for help

Improve this question

2 Answers 2

Reset to default
1

You might find the source code of mount.ecryptfs_private.c useful, as it builds the mount string, and then performs the mount. This is the setuid binary used by pam_ecryptfs in Ubuntu to mount a user's encrypted home directory.

Full disclosure: I am the author of mount.ecryptfs_private.c and maintainer of eCryptfs.

Improve this answer
2
  • Thanks. But reading the code, I don't see how to pass the the key like : mount -t ecryptfs /tmp/disk1 /tmp/disk1 -o rw,passphrase_passwd=XXXXXX,ecryptfs_sig=f83de0de4ecccbb1,ecryptfs_cipher=aes, in the mount syscall I am sorry but I don't see how to well build the opt mount string
    – flav
    Commented Feb 12, 2015 at 15:57
  • See line 612: bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/…
    – Dustin Kirkland
    Commented Feb 13, 2015 at 12:32
1

In fact, the key must be provide to the kernel before using mount syscall with the Key management facility (see man keyctl)

see : https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/utils/ecryptfs_add_passphrase.c

and

https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/libecryptfs/key_management.c

code sample :

[...]

from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
r = ecryptfs_generate_passphrase_auth_tok(&auth_tok, auth_tok_sig_hex,
                    fekek, salt, passphrase);

r = ecryptfs_add_passphrase_key_to_keyring(auth_tok_sig_hex,
                     passphrase,
                     salt);
auth_tok_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0';

if ((rc_long = keyctl(KEYCTL_LINK, KEY_SPEC_USER_KEYRING,
        KEY_SPEC_SESSION_KEYRING))) 
{
  syslog(LOG_ERR, "Error attempting to link the user session "
     "keyring into the session keyring\n");
}

[...]

r = mount(source, source, "ecryptfs", MS_MGC_VAL, opt);
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.