For those who are interested, eCryptfs can now support TPM based keys... Note that public key support in eCryptfs is not yet in the upstream Linux kernel, you'll need to grab the latest -mm tree. Kent ---------- Forwarded message ---------- From: Kent Yoder <shpedoikal@...> Date: Sep 23, 2006 3:11 PM Subject: [PATCH] TPM PKI support To: eCryptfs-devel@... Hi, Attached is a patch adding support for loading a TPM key from the TSS's persistent storage for use in eCryptfs. The mount option will look like: mount -t ecryptfs /lower /upper -o key=tpm:uuid=a79afba5247b1169f1f50f972031cb4b There are no supported mount options other than "uuid" at this time. The TPM PKI will load the key using the TSS, with the key being indexed by uuid. The current code will popup a dialog through the TSS to recieve the TPM SRK's auth. This presents a problem because the ecryptfs kernel module times out fairly quickly if it doesn't hear back from the ecryptfsd. Usually what happens is an -EIO the first time pki_ops->decrypt is called by ecryptfsd, then success from there on (the pki module caches everything it can, so that future decrypts happen quickly and don't require a GUI prompt). There is no support for password protected TPM keys (other than the SRK) at this time. The patch also modifies the ecryptfs-util build so that it detects whether the openssl and TSS libraries exist, and only builds those pkis that are present. This patch applies cleanly to the ecryptfs-20060921 tarball. After applying the patch, ecryptfs-util/reconf must be run, followed by the normal install procedures. It also requires trousers, available from sf.net/projects/trousers. Comments and suggestions welcome. :-) I am also planning a release of TPM key manager for TPM based eCryptfs keys, which will be released on the trousers site shortly. Thanks, Kent -- Kent Yoder IBM LTC Security Dev. -- Kent Yoder IBM LTC Security Dev.
Sign up for the SourceForge newsletter:No, thanks