1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
# Try to encrypt a nonexistent directory
[ERROR] fscrypt encrypt: no such file or directory
ext4 filesystem "MNT" has 0 protectors and 0 policies.
All users can create fscrypt metadata on this filesystem.
[ERROR] fscrypt status: file or directory "MNT/dir" is not
encrypted
# Try to encrypt a nonempty directory
[ERROR] fscrypt encrypt: Directory "MNT/dir" cannot be
encrypted because it is non-empty.
Files cannot be encrypted in-place. Instead, encrypt a new directory, copy the
files into it, and securely delete the original directory. For example:
mkdir "MNT/dir.new"
fscrypt encrypt "MNT/dir.new"
cp -a -T "MNT/dir" "MNT/dir.new"
find "MNT/dir" -type f -print0 | xargs -0 shred -n1 --remove=unlink
rm -rf "MNT/dir"
mv "MNT/dir.new" "MNT/dir"
Caution: due to the nature of modern storage devices and filesystems, the
original data may still be recoverable from disk. It's much better to encrypt
your files from the start.
ext4 filesystem "MNT" has 0 protectors and 0 policies.
All users can create fscrypt metadata on this filesystem.
[ERROR] fscrypt status: file or directory "MNT/dir" is not
encrypted
# => with trailing slash
[ERROR] fscrypt encrypt: Directory "MNT/dir/" cannot be
encrypted because it is non-empty.
Files cannot be encrypted in-place. Instead, encrypt a new directory, copy the
files into it, and securely delete the original directory. For example:
mkdir "MNT/dir.new"
fscrypt encrypt "MNT/dir.new"
cp -a -T "MNT/dir" "MNT/dir.new"
find "MNT/dir" -type f -print0 | xargs -0 shred -n1 --remove=unlink
rm -rf "MNT/dir"
mv "MNT/dir.new" "MNT/dir"
Caution: due to the nature of modern storage devices and filesystems, the
original data may still be recoverable from disk. It's much better to encrypt
your files from the start.
ext4 filesystem "MNT" has 0 protectors and 0 policies.
All users can create fscrypt metadata on this filesystem.
[ERROR] fscrypt status: file or directory "MNT/dir" is not
encrypted
# Encrypt a directory as non-root user
ext4 filesystem "MNT" has 1 protector and 1 policy.
All users can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
desc1 No custom protector "prot"
POLICY UNLOCKED PROTECTORS
desc2 Yes desc1
"MNT/dir" is encrypted with fscrypt.
Policy: desc2
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc1 No custom protector "prot"
ext4 filesystem "MNT" has 1 protector and 1 policy (only including ones owned by fscrypt-test-user or root).
All users can create fscrypt metadata on this filesystem.
PROTECTOR LINKED DESCRIPTION
desc1 No custom protector "prot"
POLICY UNLOCKED PROTECTORS
desc2 Yes desc1
"MNT/dir" is encrypted with fscrypt.
Policy: desc2
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc1 No custom protector "prot"
# Try to encrypt an already-encrypted directory
[ERROR] fscrypt encrypt: file or directory "MNT/dir" is
already encrypted
# Try to encrypt another user's directory as a non-root user
[ERROR] fscrypt encrypt: cannot encrypt "MNT/dir" because
it's owned by another user (root).
Encryption can only be enabled on a directory you own,
even if you have write access to the directory.
ext4 filesystem "MNT" has 0 protectors and 0 policies.
All users can create fscrypt metadata on this filesystem.
[ERROR] fscrypt status: file or directory "MNT/dir" is not
encrypted
|
