1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# Encrypt directory
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# Lock directory
"MNT/dir" is now locked.
# => filenames should be in encrypted form
cat: MNT/dir/file: No such file or directory
# => shouldn't be able to create a subdirectory
mkdir: cannot create directory 'MNT/dir/subdir': Required key not available
# Unlock directory
Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
contents
# Try to lock directory while files busy
[ERROR] fscrypt lock: Directory was incompletely locked because some files are
still open. These files remain accessible.
Try killing any processes using files in the directory, for example using:
find "MNT/dir" -print0 | xargs -0 fuser -k
Then re-run:
fscrypt lock "MNT/dir"
# => status should be incompletely locked
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Partially (incompletely locked)
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
# => open file should still be readable
contents
# => shouldn't be able to create a new file
bash: MNT/dir/file2: Required key not available
# Finish locking directory
"MNT/dir" is now locked.
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
desc2 No custom protector "prot"
cat: MNT/dir/file: No such file or directory
mkdir: cannot create directory 'MNT/dir/subdir': Required key not available
# Try to lock directory while other user has unlocked
[ERROR] fscrypt lock: Directory "MNT/dir" couldn't be fully
locked because other user(s) have unlocked it.
If you want to force the directory to be locked, use:
sudo fscrypt lock --all-users "MNT/dir"
contents
"MNT/dir" is now locked.
cat: MNT/dir/file: No such file or directory
# Try to operate on locked regular file
"MNT/dir" is now locked.
[ERROR] fscrypt status: cannot operate on locked regular file
"MNT/file"
It is not possible to operate directly on a locked regular file, since the
kernel does not support this. Specify the parent directory instead. (For loose
files, any directory with the file's policy works.)
[ERROR] fscrypt unlock: cannot operate on locked regular file
"MNT/file"
It is not possible to operate directly on a locked regular file, since the
kernel does not support this. Specify the parent directory instead. (For loose
files, any directory with the file's policy works.)
|
