Comment 3 for bug 878239

Revision history for this message
Tyler Hicks (tyhicks) wrote : Re: [Bug 878239] [NEW] Documentation of ecryptfs-manager poor/missing

Sorry for the lack of documentation around ecryptfs-manager. I'll try to
address your questions here until someone gets a change to write better
documentation.

ecryptfs-manager is a command-line tool that can generate keys and add
them to your kernel keyring so that the eCryptfs kernel code can later
use them for encryption and decryption of files.

On 2011-10-19 14:33:43, Hadmut Danisch wrote:
> When starting ecryptfs-manager, it offers three different actions.
>
> Option 1 allows to add a passphrase to a keyring, but none of the other
> docs explains, what a keyring is used for or why „passphrases” should be
> added to a keyring.

Several ecryptfs-utils userspace tools can add keys to the kernel
keyring so that the eCryptfs kernel code can retrieve those keys and use
them for the encryption and decryption of files.

These keys can be symmetric (passphrase based) or asymmetric (OpenSSL).
Passphrase based keys go through a key strengthening routine and then
are added to the kernel keyring before an eCryptfs mount is performed.

> Option 2 adds a public key to a keyring, and again, it is unclear what a
> public key is used for, since other ecryptfs docs imply use of symmetric
> cryptographiy, no public/secret keys.

There is some symmetric key support through OpenSSL. However, some
distros don't ship the eCryptfs OpenSSL key module, so users of those
distros won't have asymmetric key support.

The asymmetric key support isn't widely used at this time. Therefore,
there are some lingering issues with it, such as performance and
usability.

> Option 3 allows to generate a new public/private key pair, but asks for
> a key type without giving the slightest hint about what type choices
> there are.

That's because you don't have the OpenSSL key module installed. The
ecryptfs-manager prompts should take this into account, but they don't.
Please consider filing a separate bug about this.