Documentation of ecryptfs-manager poor/missing

Agreed, the ecryptfs-manager feature is very infrequently used and poorly documented. Confirming/wishlisting this bug. It's crossed my mind more a few times to deprecate the feature entirely...

On 2011-10-19 19:59:57, Dustin Kirkland wrote:
> It's crossed my mind more a few times to deprecate the feature
> entirely...

I disagree.

IMO, we should strive to separate out the complexity of setting up the
auth tok, and inserting it into the keyring, from mount helpers. Keep in
mind that setting up the auth tok could involve a key module making a
key fetch request over the network. This would make the mount helpers
more auditable and reduce the risk when making them setuid root.

ecryptfs-manager is a step in the right direction, but it does
definitely need some love.

Sorry for the lack of documentation around ecryptfs-manager. I'll try to
address your questions here until someone gets a change to write better
documentation.

ecryptfs-manager is a command-line tool that can generate keys and add
them to your kernel keyring so that the eCryptfs kernel code can later
use them for encryption and decryption of files.

On 2011-10-19 14:33:43, Hadmut Danisch wrote:
> When starting ecryptfs-manager, it offers three different actions.
>
> Option 1 allows to add a passphrase to a keyring, but none of the other
> docs explains, what a keyring is used for or why „passphrases” should be
> added to a keyring.

Several ecryptfs-utils userspace tools can add keys to the kernel
keyring so that the eCryptfs kernel code can retrieve those keys and use
them for the encryption and decryption of files.

These keys can be symmetric (passphrase based) or asymmetric (OpenSSL).
Passphrase based keys go through a key strengthening routine and then
are added to the kernel keyring before an eCryptfs mount is performed.

> Option 2 adds a public key to a keyring, and again, it is unclear what a
> public key is used for, since other ecryptfs docs imply use of symmetric
> cryptographiy, no public/secret keys.

There is some symmetric key support through OpenSSL. However, some
distros don't ship the eCryptfs OpenSSL key module, so users of those
distros won't have asymmetric key support.

The asymmetric key support isn't widely used at this time. Therefore,
there are some lingering issues with it, such as performance and
usability.

> Option 3 allows to generate a new public/private key pair, but asks for
> a key type without giving the slightest hint about what type choices
> there are.

That's because you don't have the OpenSSL key module installed. The
ecryptfs-manager prompts should take this into account, but they don't.
Please consider filing a separate bug about this.

> > Option 3 allows to generate a new public/private key pair, but asks for
> > a key type without giving the slightest hint about what type choices
> > there are.
>
> That's because you don't have the OpenSSL key module installed. The
> ecryptfs-manager prompts should take this into account, but they don't.
> Please consider filing a separate bug about this.

I have the same problem. How can I add the OpenSSL key module in Ubuntu 11.10?

@Ben, please take a look at bug 1540217 and its comment made by Tyler (https://bugs.launchpad.net/ecryptfs/+bug/1540217/comments/1). You have to build on your own to ship eCryptfs with openssl.

I'm assigning to me for two issues:
1) Write the document (man page) for ecryptfs-manager.
2) Fix the bug 1695767.

Any thoughts?