Hello,
I am following this method to encrypt my emmc partition-
1. generate key:
KEYNAME=dm_trust
KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)"
keyctl pipe $KEY >~/$KEYNAME.blob
2. Set variables:
DEV=/dev/mmcblk0p4
ALGO=capi:cbc\(aes\)-plain
TARGET=crypt
BLOCKS=$(blockdev --getsz $DEV)
KEYNAME=dm_trust
TABLE="0 $BLOCKS $TARGET $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"
3. Create new device mapper
echo $TABLE | dmsetup create encrypted
4. LOAD device mapper "encrypted"
echo $TABLE | dmsetup load encrypted
5. Format and mount partition:
mkfs.ext4 /dev/mapper/encrypted
mount -t ext4 /dev/mapper/encrypted /crypt
Now, I would like not to have the $KEYNAME.blob in my system but use the keyring. Since the session keyring expires after reboot, I tried to save the key on a persistent keyring:
keyctl newring my-keyring @u > /etc/keyrings/my-persistent-keyring_id
keyctl add trusted my-key "load $(cat ~/dm_trust.blob)" $(cat /etc/keyrings/my-persistent-keyring_id)
keyctl link $(cat /etc/keyrings/my-persistent-keyring_id) @u
Unfortunately the 2nd (and 3rd ) keyctl call return "permission denied" even if I am root.
What is the correct procedure to store the key in the keyring ?
