[dm-crypt] Kernel Keyring Service
Ahmed, Safayet (GE Global Research)
Safayet.Ahmed at ge.com
Fri Dec 12 17:23:20 CET 2014
Is there a way to setup an encrypted partition with keys from the kernel key ring? The key-ring services support special keys called encrypted keys. These keys never exist outside kernel memory in an un-encrypted state. These encrypted keys are encrypted with other keys in the kernel keyring: user keys and trusted keys. Trusted keys are keys protected by a TPM SRK.
This would be something different from TPM-LUKS which protects keys in the TPM NVRAM. A possible advantage of using encrypted keys from the kernel key ring is that the key(s) used by dm-crypt never have to be exposed to user space in an unencrypted state. Currently, user space can see the encryption key of a dm-crypt partition in plain text by using the following command:
dmsetup table --showkeys <device name>
I am not entirely sure if that is an issue.
Lastly, I just want to mention that trusted keys and encrypted keys are already used for ecryptfs:
More information about the dm-crypt