Birger Bauch

ext4 encryption

Discussion created by Birger Bauch on Jan 6, 2016
Latest reply on Feb 12, 2018 by Davis Roman

Hello, please find attached some remarks on ext4 encryption on i.MX6UL EVK using Yocto build fslc community kernel version 4.3.0

 

Ext4 encryption is supported by mainline kernel version 4.1.3 or higher. Encryption keys are stored in the keyring. To get started, make sure you have enabled

CONFIG_KEYS and CONFIG_EXT4_ENCRYPTION kernel options. Furthermore you need to update e2fsprogs to at least version 1.43. I prefer the sources from git repository.

 

https://wiki.archlinux.org/index.php/Ext4#Using_ext4_per_directory_encryption

 

Ok, I'm using the latest fslc kernel from meta-fsl-arm at version 4.3.0

 

root@imx6ulevk:~# uname -a

Linux imx6ulevk 4.3.0-fslc+g5a86d64 #1 SMP Wed Jan 6 10:21:10 CET 2016 armv7l GNU/Linux

 

Updating the e2fsprogs recipe you can use the attached file. Here you have to replace the contents of yocto/poky/meta/recipes-devtools/e2fsprogs

 

Now build your image, copy it to an mircoSdCard and run the system on the i.MX6UL evaluationboard. Login via serial debug or ssh if possible.

 

First generate a random salt (or use an simple salt). Than create the key in the keyring and use it to set the policy for the directory to be encrypted.

 

root@imx6ulevk:~# e4crypt add_key -S 0x1234

Enter passphrase (echo disabled):

Added key with descriptor [7c36eecef6c5ee9e]

 

root@imx6ulevk:~# e4crypt set_policy 7c36eecef6c5ee9e /encrypted/dir

Key with descriptor [7c36eecef6c5ee9e] applied to /encrypted/dir.

 

root@imx6ulevk:~# touch /encrypted/dir/test.txt

 

root@imx6ulevk:~# ls -l /encrypted/dir/

-rw-r--r-- 1 root root 0 Jan 4 10:52 test.txt

 

After each reboot, the same command can be used set the key for decryption of the directory and its descendants.

 

root@imx6ulevk:~# ls -l /encrypted/dir/

-rw-r--r-- 1 root root 0 Jan 4 10:52 z,x7tfUEMLzh+AU2MkQcnB

 

root@imx6ulevk:~# e4crypt get_policy /encrypted/dir/

/encrypted/dir/: 7c36eecef6c5ee9e

 

root@imx6ulevk:~# e4crypt add_key -S 0x1234

Enter passphrase (echo disabled):

Added key with descriptor [7c36eecef6c5ee9e]

 

root@imx6ulevk:~# ls -l /encrypted/dir/

-rw-r--r-- 1 root root 0 Jan 4 10:52 test.txt

 

That's all.

Original Attachment has been moved to: e2fsprogs.tar.gz

Outcomes