1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
.TH E4CRYPT 8 "@E2FSPROGS_MONTH@ @E2FSPROGS_YEAR@" "E2fsprogs version @E2FSPROGS_VERSION@"
.SH NAME
e4crypt \- ext4 file system encryption utility
.SH SYNOPSIS
.B e4crypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] \fR[\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
.br
.B e4crypt new_session
.br
.B e4crypt get_policy \fIpath\fR ...
.br
.B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
.SH DESCRIPTION
.B e4crypt
performs encryption management for ext4 file systems.
.SH COMMANDS
.TP
.B e4crypt add_key \fR[\fB-vq\fR] [\fB-S\fI salt\fR ] [\fB-k \fIkeyring\fR ] [\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
Prompts the user for a passphrase and inserts it into the specified
keyring. If no keyring is specified, e4crypt will use the session
keyring if it exists or the user session keyring if it does not.
.IP
A salt is used to convert the passphrase into an encryption key, and
ensures that if the user uses the same passphrase in different contexts,
different salt values will result in different encryption keys. By
default,
.B e4crypt
will examine all mounted ext4 file systems, and insert an encryption
key salted with each file system with encryption enabled with its
default salt value.
.IP
Alternatively, if the user specifies an explicit salt, that salt value
will be used to calculate the encryption key from the passphrase.
If the first two characters of
.I salt
are "s:", then the rest
of the argument will be used as a text string and used as the salt
value. If the first two characters are "0x", then the rest of the
argument will be parsed as a hex string and the hex value will be used
as the salt. If the
first characters are "f:" then the rest of the argument will be
interpreted as a filename from which the salt value will be read. If
the string begins with a '/' character, it will similarly be treated as
filename. Finally, if the
.I salt
argument can be parsed as a valid UUID, then the UUID value will be used
as a salt value.
.IP
The
.I keyring
argument specifies the keyring to which the key should be added.
.IP
The
.I pad
value specifies the number of bytes of padding will be added to
directory names for obfuscation purposes. Valid
.I pad
values are 4, 8, 16, and 32.
.IP
If one or more directory paths are specified, e4crypt will try to
set the policy of those directories to use the key just added by the
.B add_key
command. If a salt was explicitly specified, then it will be used
to derive the encryption key of those directories. Otherwise a
directory-specific default salt will be used.
.TP
.B e4crypt get_policy \fIpath\fR ...
Print the policy for the directories specified on the command line.
.TP
.B e4crypt new_session
Give the invoking process (typically a shell) a new session keyring,
discarding its old session keyring.
.TP
.B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
Sets the policy for the directories specified on the command line.
All directories must be empty to set the policy; if the directory
already has a policy established, e4crypt will validate that the
policy matches what was specified. A policy is an encryption key
identifier consisting of 16 hexadecimal characters.
.SH AUTHOR
Written by Michael Halcrow <mhalcrow@google.com>, Ildar Muslukhov
<muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
.SH SEE ALSO
.BR keyctl (1),
.BR mke2fs (8),
.BR mount (8).
|
