[dm-crypt] Kernel Keyring Service

Arno Wagner arno at wagner.name
Sat Dec 13 01:26:51 CET 2014

On Fri, Dec 12, 2014 at 17:23:20 CET, Ahmed, Safayet (GE Global Research) wrote:
> Is there a way to setup an encrypted partition with keys from the kernel
> key ring?  The key-ring services support special keys called encrypted
> keys.  These keys never exist outside kernel memory in an un-encrypted
> state.  These encrypted keys are encrypted with other keys in the kernel
> keyring: user keys and trusted keys.  Trusted keys are keys protected by a
> http://lxr.free-electrons.com/source/Documentation/security/keys-trusted-encrypted.txt
> This would be something different from TPM-LUKS which protects keys in the
> TPM NVRAM.  A possible advantage of using encrypted keys from the kernel
> key ring is that the key(s) used by dm-crypt never have to be exposed to
> user space in an unencrypted state.  Currently, user space can see the
> encryption key of a dm-crypt partition in plain text by using the
> following command:
> dmsetup table --showkeys <device name>
> I am not entirely sure if that is an issue.

It is not. The Unix protection model assumes root is trusted 
and can do anyting. Root can dump kernel memory as well. Trying 
to put in a protection method here that is not in line with the 
Unix protection model is not going to help much.
> Lastly, I just want to mention that trusted keys and encrypted keys are
> already used for ecryptfs:
> http://lxr.free-electrons.com/source/Documentation/security/keys-ecryptfs.txt

I would be very surprised if root could not get the ecryptfs 


> Thanks,
> Safayet
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list