ecryptfs-users team mailing list archive

Thread
Date

Re: (un)security of eCryptfs ?

To: kapetr <kapetr@xxxxxxxxx>
From: "Serge E. Hallyn" <serge.hallyn@xxxxxxxxxxxxx>
Date: Wed, 16 Feb 2011 14:19:10 -0600
Cc: kirkland@xxxxxxxxxx, ecryptfs-users@xxxxxxxxxxxxxxxxxxx
In-reply-to: <78e98c2ee2dc171c47e975b56e658ec0@mail2.volny.cz>
User-agent: Mutt/1.5.21 (2010-09-15)

Quoting kapetr (kapetr@xxxxxxxxx):

> ------------------------------------------------------------------------------
> Why are there user/process/thread keyrings at all ? 
> ------------------------------------------------------------------------------

bc they are useful.

> When if e.g. someone 1. times uses his key, then from this time
> point anybody can read by this key encoded key of files can read
> them ?

That may change one day.

> !!! For what is good keyctl clear @u at all ? If the key is used
> further ? !!!

Because it is more elegant and useful to separate the key's
existence from it's being attached to the keyring.  You're
detaching it from the keyring.  If it is still in use elsewhere,
it won't be garbage collected until all references are cleared.

> You wrote: "And you should clear those keys on  unmount."
> Why ? 

1. so that if someone walks by later and tries to remount the
directory, they'll need your key.
2. to maximize the chances that as the system continues to run
it overwrites the memory that contained that key to prevent
the key being recovery with system being turned off, if you're
paranoid :)

> Does it mean that someone else could mount this ecryptfs again
> WITHOUT knowing the password ? Up to unlog or reboot ?  !!!

Up to reboot, if you (or the umount.ecryptfs_private) don't clear
the key.  Provided they are logged in with your credentials.

> The problem is that documentation of eCryptfs is minimal and doc. of
> keys management is NONE at all.

Please feel free to propose updates.

> So I would like to understand this key management - but ...
> I thing that in security issues the understanding (=> documentation)
>  is essential.

Absolutely, security is not security if you don't understand it.  Which
is one good reason why so many people roll their own, and why OSS is
really better for this - if you write it or hack on it yourself, and
really understand the inner workings, you're more likely to use it
effectively.

> So in case of eCryptfs: if I do not know, where/how/by who are keys
> stord, managed, .., who can use them, at what time point are they
> usable, ..., then I can't use it :-(( 

Absolutely.

-serge

References

(un)security of eCryptfs ?
From: kapetr, 2011-02-04
Re: (un)security of eCryptfs ?
From: Dustin Kirkland, 2011-02-14
Re: (un)security of eCryptfs ?
From: kapetr, 2011-02-16