[dm-crypt] Kernel Keyring Service

Ahmed, Safayet (GE Global Research) Safayet.Ahmed at ge.com
Fri Dec 12 17:23:20 CET 2014


Is there a way to setup an encrypted partition with keys from the kernel key ring? The key-ring services support special keys called encrypted keys. These keys never exist outside kernel memory in an un-encrypted state. These encrypted keys are encrypted with other keys in the kernel keyring: user keys and trusted keys. Trusted keys are keys protected by a TPM SRK.

http://lxr.free-electrons.com/source/Documentation/security/keys-trusted-encrypted.txt

This would be something different from TPM-LUKS which protects keys in the TPM NVRAM. A possible advantage of using encrypted keys from the kernel key ring is that the key(s) used by dm-crypt never have to be exposed to user space in an unencrypted state. Currently, user space can see the encryption key of a dm-crypt partition in plain text by using the following command:

dmsetup table --showkeys <device name>

I am not entirely sure if that is an issue.

Lastly, I just want to mention that trusted keys and encrypted keys are already used for ecryptfs:

http://lxr.free-electrons.com/source/Documentation/security/keys-ecryptfs.txt

Thanks,

Safayet


More information about the dm-crypt mailing list