Embed Size (px)
Citation preview
eCryptfs: An Enterprise-class Cryptographic Filesystemfor Linux
Michael Austin HalcrowInternational Business Machines, Inc.
Abstract
eCryptfs is a cryptographic filesystem forLinux that stacks on top of existing filesys-tems. It provides functionality similar to thatof GnuPG, only the process of encrypting anddecrypting the data is done transparently fromthe perspective of the application. eCryptfsleverages the recently introduced Linux ker-nel keyring service, the kernel cryptographicAPI, the Linux Pluggable Authentication Mod-ules (PAM) framework, OpenSSL/GPGME,the Trusted Platform Module (TPM), and theGnuPG keyring in order to make the processof key and authentication token managementseamless to the end user.
1 Enterprise Requirements
Any cryptographic application is hard to im-plement correctly and hard to effectively de-ploy. When key management and interactionwith the cryptographic processes are cumber-some and unwieldy, people will tend to ignore,disable, or circumvent the security measures.They will select insecure passphrases, mishan-dle their secret keys, or fail to encrypt their sen-sitive data altogether. This places the confiden-tiality and the integrity of the data in jeopardy
of compromise in the event of unauthorized ac-cess to the media on which the data is stored.
While users and administrators take greatpains to configure access control mecha-nisms, including measures such as user ac-count and privilege separation, Mandatory Ac-cess Control[13], and biometric identification,they often fail to fully consider the circum-stances where none of these technologies canhave any effect – for example, when the me-dia itself is separated from the control of itshost environment. In these cases, access con-trol must be enforced via cryptography.
When a business process incorporates a cryp-tographic solution, it must take several issuesinto account. How will this affect incrementalbackups? What sort of mitigation is in placeto address key loss? What sort of education isrequired on the part of the employees? Whatshould the policies be? Who should decidethem, and how are they expressed? How dis-ruptive or costly will this technology be? Whatclass of cryptography is appropriate, given therisks? Just what are the risks, anyway? When-ever sensitive data is involved, it is incumbentupon those responsible for the information toreflect on these sorts of questions and to takeaction accordingly.
We see today that far too many businessesneglect to effectively utilize on-disk encryp-
tion. We often see news reports of computerequipment that is stolen in trivial cases ofburglary[5] or of backup tapes with sensitivecustomer data that people lose track of.[10]While the physical security measures in placein these business establishments are usuallysufficient given the dollar value of the ac-tual equipment, businesses often underrate thevalue of the data contained on the media in thatequipment. Encryption can effectively protectthe data, but there there exist a variety of prac-tical barriers to using it effectively. eCryptfsdirectly addresses these issues.
1.1 Integration of File Encryption into theFilesystem
Cryptography extends access control beyondthe trusted domain. Within the trusted do-main, physical control, authentication mech-anisms, DAC/MAC[14][13], and other tech-nologies regulate what sort of behaviors userscan take with respect to data. Through variousmathematical operations, cryptographic appli-cations can enforce the confidentiality and theintegrity of the data when it is not under theseforms of protection. The mathematics, how-ever, is not enough. The cryptographic solu-tion must take human behavior into accountand compensate for tendencies to take actionsthat compromise the security afforded by thecryptographic application.
Several solutions exist that solve separatepieces of the data encryption problem. In oneexample highlighting transparency, employeeswithin an organization that uses IBM™ Lo-tus Notes™ [11] for its email will not evennotice the complex PKI or the encryption pro-cess that is integrated into the product. En-cryption and decryption of sensitive email mes-sages is seamless to the end user; it involveschecking an “Encrypt” box, specifying a recip-ient, and sending the message. This effectively
addresses a significant file in-transit confiden-tiality problem. If the local replicated mail-box database is also encrypted, then this ad-dresses confidentiality (to some extent) on thelocal storage device, but the protection is lostonce the data leaves the domain of Notes (forexample, if an attached file is saved to disk).The process must be seamlessly integrated intoall relevant aspects of the user’s operating en-vironment.
We learn from this particular application thatenvironments that embody strong hierarchicalstructures can more easily provide the infras-tructure necessary to facilitate an easy-to-useand effective organization-wide cryptographicsolution. Wherever possible, systems shouldleverage this infrastructure to protect sensitiveinformation. Furthermore, when organizationswith differing key management infrastructuresexchange data, the cryptographic applicationshould be flexible enough to support alternateforms of key management.
Current cryptographic solutions that ship withLinux distributions do not fully leverage ex-isting Linux security technologies to make theprocess seamless and transparent. Surprisinglyfew filesystem-level solutions utilize publickey cryptography. eCryptfs brings together thekernel cryptographic API, the kernel keyring,PAM, the TPM, and GnuPG in such a way soas to fill many of the gaps[3] that exist withcurrent popular cryptographic technologies.
1.2 Universal Applicability
Although eCryptfs is geared toward securingdata in enterprise environments, we exploredhow eCryptfs can be flexible for use in a widevariety of circumstances. The basic passphrasemode of operation provides equivalent func-tionality to that of EncFS[23] or CFS[20], withthe added advantage of the ability to copy an
encrypted file, as an autonomic unit, betweenhosts while preserving the associated crypto-graphic contexts. eCryptfs includes a plug-gable Public Key Infrastructure API throughwhich it can utilize arbitrary sources for pub-lic key management. One such plugin inter-faces with GnuPG (see Section 5.7) in order toleverage the web-of-trust mechanism alreadyin wide use among participants on the Internet.
1.3 Enterprise-class
We designed and implemented eCryptfs withthe enterprise environment in mind. These en-vironments entail a host of unique opportuni-ties and requirements.
1.3.1 Ease of Deployment
eCryptfs does not require any modifications tothe Linux kernel itself.1 It is deployable as astand-alone kernel module that utilizes a setof userspace tools to perform key managementfunctions.
Many other cryptographic filesystem solutions,such as dm-crypt, require that a fixed partition(or image) be established upon which to writethe encrypted data. This provides the flexi-bility of block-layer encryption; any applica-tion, such as swap, a database application, ora filesystem, can use it without any modifica-tion to the application itself. However, it islimited in that the amount of space allocatedfor the encrypted data is fixed. It is an incon-venient task to increase or decrease the amountof space available on the encrypted partition.
Cryptographic filesystems like EncFS[23] andCFS[20] are more easily deployable, as they
1Note that thekey_type_usersymbol must be ex-ported by the kernel keyring module, which may requirea one-line patch for older versions of the module.
operate at the VFS layer and can mount ontop of any previously existing directory. Thesefilesystems store cryptographic metadata inspecial files stored in the location mounted.Thus, the files themselves cannot be decryptedunless the user copies that metadata along withthe encrypted files.
eCryptfs goes one step beyond other filesys-tems by storing cryptographic metadata di-rectly in the files. This information is associ-ated on a per-file basis, in a manner dictated bypolicies that are contained in special files onthe target. These policies specify the behaviorof eCryptfs as it works with individual files atthe target. These policies are not required inorder for the user to work with the files, but thepolicies can provide enhanced transparency ofoperation. Planned enhancements include util-ities to aid in policy generation (see Section 7).
1.3.2 PKI Integration
Through its pluggable PKI interface (see Sec-tion 5.7), eCryptfs aims to be integrable withexisting Public Key Infrastructures.
1.3.3 TPM Utilization
The Trusted Computing Group has publishedan architecture standard for hardware supportfor various secure operations.[7] Several ven-dors, including IBM, implement this standardin their products today. As an example, morerecent IBM Thinkpad and workstation prod-ucts ship with an integrated Trusted ComputingPlatform (TPM) chip.
The TPM can be configured to generate a pub-lic/private keypair in which the private expo-nent cannot be obtained from the chip. Thesession key to be encrypted or decrypted with
this key must be passed to the chip itself, whichwill then use the protected private key to per-form the operation. This hardware support pro-vides a strong level of protection for the keythat is beyond that which can be provided by asoftware implementation alone.
Using a TPM, eCryptfs can essentially “bind”a set of files to a particular host. Should themedia ever be separated from the host whichcontains the TPM chip, the session keys (seeSection 5.1) of the file will be irretrievable.The user can even configure the TPM in sucha manner so that the TPM will refuse to de-crypt data unless the machine is booted in acertain configuration; this helps to address at-tacks that involve booting the machine fromuntrusted media.
1.3.4 Key Escrow
Employees often forget or otherwise lose theircredentials, and it is subsequently necessaryfor the administrator to reset or restore thosecredentials. Organizations expect this to hap-pen and have processes in place to rectify thesituations with a minimal amount of overhead.When strong cryptographic processes are inplace to enforce data integrity and confiden-tiality, however, the administrator is no morecapable of retrieving the keys than anyone elseis, unless some steps are taken to store the keyin a trustworthy escrow.
1.3.5 Incremental Backups
Cryptographic filesystem solutions that oper-ate at the block layer do not provide adequatesecurity when interoperating with incrementalbackup utilities. Solutions that store crypto-graphic contexts separately from the files to
which they apply, as EncFS or CFS do, al-low for incremental backup utilities to oper-ate while maintaining the security of the data,but the administrator must take caution to as-sure that the backup tools are also recording thecryptographic metadata. Since eCryptfs storesthis data in the body of the files themselves,the backup utilities do not need to take any ad-ditional measures to make a functional backupof the encrypted files.
2 Related Work
eCryptfs extends cryptfs, which is one ofthe filesystems instantiated by the stackablefilesystem framework FiST.[9] Erez Zadokheads a research lab at Stony Brook University,where FiST development takes place. Cryptfsis an in-kernel implementation; another optionwould be to extend EncFS, a userspace crypto-graphic filesystem that utilizes FUSE to inter-act with the kernel VFS, to behave in a similarmanner. Much of the functionality of eCryptfsrevolves around key management, which canbe integrated, without significant modification,into a filesystem like EncFS.
Other cryptographic filesystem solutionsavailable under Linux include dm-crypt[18](preceded by Cryptoloop and Loop-AES),CFS[20], BestCrypt[21], PPDD[19],TCFS[22], and CryptoFS[24]. Reiser4[25]provides a plugin framework whereby crypto-graphic operations can be implemented.
3 Design Structure
eCryptfs is unique from most other crypto-graphic filesystem solutions in that it storesa complete set of cryptographic metadata to-gether with each individual file, much like
Figure 1: Overview of eCryptfs architecture
PGP-encrypted files are formatted. This al-lows for encrypted files to be transferred acrosstrusted domains while maintaining the abilityfor those with the proper credentials to gainaccess to those files. Because the encryptionand decryption takes place at the VFS layer,the process is made transparent from the ap-plication’s perspective.
eCryptfs is implemented as a kernel mod-ule augmented with various userspace utili-ties for performing key management functions.The kernel module performs the bulk encryp-tion of the file contents via the kernel crypto-graphic API. A keystore component extractsthe header information from individual files2
and forwards this data to a callout application.The callout application evaluates the headerinformation against the target policy and per-forms various operations, such as promptingthe user for a passphrase or decrypting a ses-
2Note that the initial prototype of eCryptfs, demon-strated at OLS 2004, utilized Extended Attributes (EA)to store the cryptographic context. Due to the fact thatEA’s are not ubiquitously and consistently supported,this information was moved directly into the file con-tents. eCryptfs now uses EA’s to cache cryptographiccontexts, but EA support is not required for correct op-eration.
sion key with a private key.
eCryptfs performs key management operationsat the time that an application either opens orcloses a file (see Figure 2). Since these eventsoccur relatively infrequently in comparison topage reads and writes, the overhead involved intransferring data and control flow between thekernel and userspace is relatively insignificant.Furthermore, pushing key management func-tions out into userspace reduces the amountand the complexity of code that must run inkernel space.
4 Cryptographic Operations
eCryptfs performs the bulk symmetric encryp-tion of the file contents in the kernel moduleportion itself. It utilizes the kernel crypto-graphic API.
4.1 File Format
The underlying file format for eCryptfs isbased on the OpenPGP format described in
Figure 2: New file process
RFC 2440[2] (see Figure 3). In order to ac-commodate random access, eCryptfs necessar-ily deviates from that standard to some extent.The OpenPGP standard assumes that the en-cryption and decryption is done as an atomicoperation over the entire data contents of thefile; there is no concept of a partially encryptedor decrypted file. Since the data is encryptedusing a chained block cipher, it would be im-possible to read the very last byte of a file with-out first decrypting the entire contents of thefile up to that point. Likewise, writing the very
first byte of the file would require re-encryptingthe entire contents of the file from that point.
To compensate for this particular issue whilemaintaining the security afforded by a cipheroperating in block chaining mode[6], eCryptfsbreaks the data into extents. These extents,by default, span the page size (as specified foreach kernel build). Data is dealt with on aper-extent basis; any data read from the mid-dle of an extent causes that entire extent to bedecrypted, and any data written to that extent
Figure 3: Underlying file format
causes that entire extent to be encrypted.
Each extent has a unique initialization vector(IV) associated with it. One extent containingIV’s precedes a group of extents to which thoseIV’s apply. Whenever data is written to an ex-tent, its associated IV is rotated and rewritten tothe IV extent before the associated data extentis encrypted. The extents are encrypted withthe block cipher selected by policy for that fileand employ CBC mode to chain the blocks.
4.1.1 Sparse Files
Sparse files present a challenge for eCryptfs.Under UNIX semantics, a file becomes sparsewhen an application seeks past the end of a file.The regions of the file where no data is writtenrepresentholes. No data is actually written tothe disk for these regions; the filesystem “fakesit” by specially marking the regions and settingthe reported filesize accordingly. The space oc-cupied on the disk winds up being less than thesize of the file as reported by the file’s inodes.When sparse regions are read, the filesystemsimply pretends to be reading the data from thedisk by filling in zero’s for the data.
The underlying file structure for eCryptfsis amenable to accommodating this behav-ior; IV’s consisting of all zero’s can indicatethat the underlying region that corresponds issparse. The obvious problem with this ap-proach is that it is readily apparent to an at-tacker which regions of the file consist of holes,
and this may constitute an unacceptable breachof confidentiality. It makes sense to relegateeCryptfs’s behavior with respect to sparse filesas something that policy decides.
4.2 Kernel Crypto API
eCryptfs performs the bulk data encryption inthe kernel module, and hence it takes advan-tage of the kernel cryptographic API to per-form the encryption and the decryption. Oneof the primary motivators in implementingeCryptfs in the kernel is to avoid the overheadof context switches between userspace and ker-nel space, which is frequent when dealing withpages in file I/O. Any symmetric ciphers sup-ported by the Linux kernel are candidates forusage as the bulk data ciphers for the eCryptfsfiles.
4.3 Header Information
eCryptfs stores the cryptographic context foreach file as header information contained di-rectly in the underlying file (see Figure 4).Thus, all of the information necessary for userswith the appropriate credentials to access thefile is readily available. This makes filesamenable to transfer across untrusted domainswhile preserving the information necessary todecrypt and/or verify the contents of the file.In this respect, eCryptfs operates much like anOpenPGP application.
Figure 4: Writing file headers
Most encrypted filesystem solutions either op-erate on the entire block device or operate onentire directories. There are several advantagesto implementing filesystem encryption at thefilesystem level and storing encryption meta-data in the headers of each file:
• Granularity: Keys can be mapped to in-dividual files, rather than entire block de-vices or entire directories.
• Backup Utilities: Incremental backuptools can correctly operate without havingto have access to the decrypted content ofthe files it is backing up.
• Performance: In most cases, only cer-tain files need to be encrypted. Systemlibraries and executables, in general, do
not need to be encrypted. By limiting theactual encryption and decryption to onlythose files that really need it, system re-sources will not be taxed as much.
• Transparent Operation: Individual en-crypted files can be easily transferred offof the block device without any extratransformation, and others with authoriza-tion will be able to decrypt those files. Theuserspace applications and libraries do notneed to be modified and recompiled tosupport this transparency.
4.4 Rotating Initialization Vectors
eCryptfs extents span page lengths. For mostarchitectures, this is 4096 bytes. Subsequent
writes within extents may provide informa-tion to an attacker who aims to perform lin-ear cryptanalysis against the file. In order tomitigate this risk, eCryptfs associates a uniqueInitialization Vector with each extent. TheseIV’s are interspersed throughout each file. Inorder to simplify and streamline the mappingof the underlying file data with the overlyingfile, IV’s are currently grouped on a per-pagebasis.
4.5 HMAC’s Over Extents
Integrity verification can be accomplished viasets of keyed hashes over extents within thefile. Keyed hashes are used to prove thatwhoever modified the data had access to theshared secret, which is, in this case, the ses-sion key. Since hashes apply on a per-extentbasis, eCryptfs need not generate the hash overthe entire file before it can begin reading thefile. If, at any time in the process of readingthe file, eCryptfs detects a hash mismatch foran extent, it can flag the read operation as fail-ing in the return code for the VFS syscall.
This technique can be applied to generatea built-in digital signature structure for filesdownloaded over the Internet. Given that aneCryptfs key management module is able to as-certain the trustworthiness of a particular key,then that key can be used to encode a verifi-cation packet into the file via HMAC’s. Thisis accomplished by generating hashes over theextents of the files, as eCryptfs normally doeswhen operating in integrity verification mode.When the file is closed, an HMAC is gen-erated by hashing the concatenation of all ofthe hashes in the file, along with a secret key.This HMAC is then encrypted with the distrib-utor’s private key and written to an HMAC-type packet. The recipients of the file can pro-ceed then to retrieve the secret key by decrypt-ing it with the distributor’s trusted public key
and performing the hash operations to gener-ate the final HMAC, which can be comparedthen against the HMAC that is stored in the fileheader in order to verify the file’s integrity.
4.6 File Context
Each eCryptfs inode correlates with an inodefrom the underlying filesystem and has a cryp-tographic context associated with it. This con-text contains, but is not limited to, the follow-ing information:
• The session key for the file
• Whether the file is encrypted
• A pointer to the kernel crypto API contextfor that file
• The signatures of the authentication to-kens associated with that file
• The size of the extents
eCryptfs can cache each file’s cryptographiccontext in the user’s session keyring in orderto facilitate faster repeat access by bypassingthe process of reading and interpreting of au-thentication token header information from thefile.
4.7 Revocation
Since anyone with the proper credentials canextract a file’s session key, revocation of accessfor any given credential to future versions ofthe file will necessitate regeneration of a ses-sion key and re-encryption of the file data withthat key.
Figure 5: Key management
5 Key Management
eCryptfs aims to operate in a manner that is astransparent as possible to the applications andthe end users of the system. Under most cir-cumstances, when access control over the datacannot be provided at all times by the host, thefact that the files are being encrypted shouldnot be a concern for the user. Encryption mustprotect the confidentiality and the integrity ofthe files in these cases, and the system is con-figured to do just that, using the user’s authen-tication credentials to generate or access thekeys.
5.1 Session Keys
Every file receives a randomly generated ses-sion key, which eCryptfs uses in the bulk dataencryption of the file contents. eCryptfs storesthis session key in the cryptographic metadatafor the file, which is in turn cached in the user’ssession keyring. When an application closesa newly created file, the eCryptfs encrypts thesession key once for each authentication tokenassociated with that file, as dictated by policy,then writes these encrypted session keys intopackets in the header of the underlying file.
When an application later opens the file,eCryptfs reads in the encrypted session keys
and chains them off of the cryptographic meta-data for the file. eCryptfs looks through theuser’s authentication tokens to attempt to finda match with the encrypted session keys; ituses the first one found to decrypt the sessionkey. In the event that no authentication tokensin the user’s session keyring can decrypt anyof the encrypted session key packets, eCryptfsfalls back on policy. This policy can dictateactions such as querying PKI modules for theexistence of private keys or prompting the userfor a passphrase.
5.2 Passphrase
Passwords just don’t work anymore.– Bruce Schneier
Many cryptographic applications in Linux relytoo heavily on passphrases to protect data.Technology that employs public key cryp-tography provides stronger protection againstbrute force attacks, given that the passphrase-protected private keys are not as easily accessi-ble as the encrypted data files themselves.
Passphrase authentication tokens in eCryptfsexist in three forms: non-passphrased, salt-less, and salted. In order to address the threatof passphrase dictionary attacks, eCryptfs uti-lizes the method whereby a salt value is con-catenated with a passphrase to generate apassphrase identifier. The concatenated valueis iteratively hashed (65,537 times by default)to generate the identifying signature for thesalted authentication token.
On the other hand, saltless authentication to-kens exist only in the kernel keyring and are notat any time written out to disk. The userspacecallout application combines these saltless au-thentication tokens with non-passphrased au-thentication tokens to generate candidate saltedauthentication tokens, whose signatures arecompared against those in file headers.
While eCryptfs supports passphrase-based pro-tection of files, we do not recommend usingpassphrases for relatively high-value data thatrequires more than casual protection. Mostpassphrases that people are capable of remem-bering are becoming increasingly vulnerable tobrute force attacks. eCryptfs takes measuresto make such attacks more difficult, but thesemeasures can only be so effective against a de-termined and properly equipped adversary.
Every effort should be made to employ the useof a TPM and public key cryptography to pro-vide strong protection of data. Keep in mindthat using a passphrase authentication token inaddition to a public key authentication tokendoes not in any way combine the security ofboth; rather, it combines theinsecurityof both.This is due to the fact that, given two authen-tication tokens, eCryptfs will encrypt and storetwo copies of the session key (see Section 5.1)that can individually be attacked.
5.3 Kernel Keyring
David Howells recently authored the keyringservice, which kernel versions 2.6.10 and laternow include. This keyring provides a host offeatures to manage and protect keys and au-thentication tokens. eCryptfs takes advantageof the kernel keyring, utilizing it to store au-thentication tokens, inode cryptographic con-texts, and keys.
5.4 Callout and Daemon
The primary contact between the eCryptfs ker-nel module and the userspace key manage-ment code is the request-key callout applica-tion, which the kernel keyring invokes. Thiscallout application parses policy informationfrom the target, which it interprets in relationto the header information in each file. It may
then make calls through the PKI API in order tosatisfy pending public key requests, or it maygo searching for a salted passphrase with a par-ticular signature.
In order to be able to prompt the user for apassphrase via a dialog box, eCryptfs musthave an avenue whereby it can get to the user’sX session. The user can provide this means bysimply running a daemon. The eCryptfs dae-mon listens to a socket (for which the locationis written to the user’s session keyring). When-ever policy calls for the user to be promptedfor a passphrase, the callout application can re-trieve the socket’s location and use it to requestthe daemon to prompt the user; the daemonthen returns the user’s passphrase to the call-out application.
5.5 Userspace Utilities
To accommodate those who are not running theeCryptfs layer on their systems, userspace util-ities to handle the encrypted content comprisepart of the eCryptfs package. These utilities actmuch like scaled-down versions of GnuPG.
5.6 Pluggable Authentication Module
Pluggable Authentication Modules (PAM)provide a Discretionary Access Control(DAC)[14] mechanism whereby admin-istrators can parameterize how a user isauthenticated and what happens at the timeof authentication. eCryptfs includes a modulethat captures the user’s login passphrase andstores it in the user’s session keyring. Thispassphrase is stored in the user’s sessionkeyring as a saltless passphrase authenticationtoken.
Future actions by eCryptfs, based on policy,can then use this passphrase to perform cryp-tographic operations. For example, the login
passphrase can be used to extract the user’s pri-vate key from his GnuPG keyring. It could beused to derive a key (via a string-to-key oper-ation) that is directly used to protect a sessionkey for a set of files. Furthermore, this derivedkey could be combined with a key stored in aTPM in order to offer two-factor authentication(i.e., in order to access a file, the user must have(1) logged into a particular host (2) using a par-ticular passphrase).
Due to PAM’s flexibility, these operations donot need to be restricted to a passphrase. Thereis no reason, for example, that a key containedon a SmartCard or USB device could not beused to help authenticate the user, after whichpoint that key is used in the above named cryp-tographic operations.
5.7 PKI
eCryptfs offers a pluggable Public Key Infras-tructure (PKI) interface. PKI modules acceptkey identifiers and data, and they return en-crypted or decrypted data. Whether any partic-ular key associated with an identifier is avail-able, trustworthy, etc., is up to the PKI moduleto determine.
eCryptfs PKI modules need to implement a setof functions that accept as input the key identi-fier and a blob of data. The modules have theresponsibility to take whatever course of actionis necessary to retrieve the requisite key, evalu-ate the trustworthiness of that key, and performthe public key operation.
eCryptfs includes a PKI module that uti-lizes the GnuPG Made Easy (GPGME) inter-face to access and utilize the user’s GnuPGkeyring. This module can utilize the user’s lo-gin passphrase credential, which is stored inthe user’s session keyring by the eCryptfs PAM(see Section 5.6), to decrypt and utilize theuser’s private key stored on the user’s keyring.
The eCryptfs TPM PKI module utilizes theTrouSerS[26] interface to communicate withthe Trusted Platform Module. This allows forthe use of a private key that is locked in thehardware, binding a file to a particular host.
The eCryptfs openCryptoki PKCS#11[15]framework PKI provides a mechanism forperforming public key operations via varioushardware devices supported by openCryptoki,including the IBM Cryptographic Accelerator(ICA) Model 2058, the IBM 4758 PCI Cryp-tographic Coprocessor, the Broadcom CryptoAccelerator, the AEP Crypto Accelerator, andthe TPM.
It is easy to write additional PKI modules foreCryptfs. Such modules can interface withexisting PKI’s that utilize x.509 certificates,with certificate authorities, revocation lists, andother elements that help manage keys within anorganization.
5.8 Key Escrow/Secret Sharing
In enterprise environments, it often makessense for data confidentiality and integrity tobe a shared responsibility. Just as prudent busi-ness organizations entail backup plans in theevent of the sudden loss of any one employee,the data associated with business operationsmust survive any one individual in the com-pany. In the vast majority of the cases, it isacceptable for all members of the business tohave access to a set of data, while it is notacceptable for someone outside the companywho steals a machine or a USB pen drive tohave access to that data. In such cases, someforms of key escrow within the company areappropriate.
In enterprise environments where corporateand customer data are being protected crypto-graphically, key management and key recov-ery is an especially critical issue. Techniques
such as secret splitting or (m,n)-thresholdschemes[4] can be used within an organizationto balance the need for key secrecy with theneed for key recovery.
5.9 Target-centric Policies
When an application creates a new file,eCryptfs must make a number of decisionswith regard to that file. Should the file be en-crypted or unencrypted? If encrypted, whichsymmetric block cipher should be used toencrypt the data? Should the file containHMAC’s in addition to IV’s? What should thesession key length be? How should the sessionkey be protected?
Protecting the session key on disk requireseven more policy decisions. Should apassphrase be used? Which one, and howshould it be retrieved? What should be thestring-to-key parameters (i.e., which hash al-gorithm and the number of hash iterations)?Should any public keys be used? If so, whichones, and how should they be retrieved?
eCryptfs currently supports Apache-like policydefinition files3 that contain the policies thatapply to the target in which they exist. For ex-ample, if the root directory on a USB pen drivedevice contains a .ecryptfsrc file, then eCryptfswill parse the policy from that file and applyit to all files under the mount point associatedwith that USB pen drive device.
Key definitions associate labels with(PKI, Id) tuples (see Figure 6).
Application directive definitions override de-fault policies for the target, dependent uponthe application performing the action and thetype of action the application is performing(see Figure 7).
3XML formats are currently being worked on.
<ApplicationDirectiveDef mutt_prompt_on_read_encrypted>Application /usr/bin/muttScenario OPEN_FOR_READFileState ENCRYPTEDAction PROMPT
</ApplicationDirectiveDef>
<ApplicationDirectiveDef mutt_decrypt>Application /usr/bin/muttScenario ALLFileState ENCRYPTEDAction DECRYPT
</ApplicationDirectiveDef>
<ApplicationDirectiveDef openoffice_strong_encrypt>Application /usr/bin/oofficeScenario OPEN_FOR_CREATEAction encrypt_strong
</ApplicationDirective>
Figure 7: Example policy: application directives
The action definitions associate labels with(Action, Cipher, SessionKeySize) tuples.eCryptfs uses these directives to set crypto-graphic context parameters for files (see Figure8).
The directory policy definitions give defaultactions for files created under the specified di-rectory location, along with application direc-tives that apply to the directory location (seeFigure 9).
6 Additional Measures
eCryptfs concerns itself mainly with protect-ing data that leaves trusted domains. Addi-tional measures are necessary to address var-ious threats outside the scope of eCryptfs’sinfluence. For example, swap space should
be encrypted; this can be easily accomplishedwith dm-crypt.[18]
Strong access control is outside the scope ofthe eCryptfs project, yet it is absolutely neces-sary to provide a comprehensive security solu-tion for sensitive data. SE Linux[16] providesa robust Mandatory Access Control frameworkthat can be leveraged with policies to protectthe user’s data and keys.
Furthermore, the system should judiciouslyemploy timeouts or periods of accessibil-ity/applicability of credentials. The kernelkeyring provides a convenient and powerfulmechanism for handling key permissions andexpirations. These features must be used ap-propriately in order to address human over-sight, such as failing to lock down a terminalor otherwise exit or invalidate a security con-text when the user is finished with a task.
<Directory />DefaultAction blowfish_encryptDefaultState PROMPTDefaultPublicKeys mhalcrow legalDefaultPassphrase LOGIN# This directives for files under this location# that meet this criteria<FilePattern \.mutt_.*>
ApplicationDirective mutt_decrypt</FilePattern>ApplicationDirective mutt_prompt_on_read_encrypted
</Directory>
# Overrides the prior set of policies<Directory /gnucash>
DefaultAction encrypt_strongDefaultPublicKeys host_tpm
</Directory>
Figure 9: Example policy: directory policies
7 Future Work
eCryptfs is currently in an experimental stageof development. While the majority of the VFSfunctionality is implemented and functioning,eCryptfs requires testing and debugging acrossa wide range of platforms under a variety ofworkload conditions.
eCryptfs has the potential to provide weak filesize secrecy in that the size of the file wouldonly be determinable to the granularity of oneextent size, given that the file size field inthe header is encrypted with the session key.Strong file size secrecy is much more easilyobtained through block device layer encryp-tion, where everything about the filesystem isencrypted. eCryptfs only encrypts the datacontents of the files; additional secrecy mea-sures must address dentry’s, filenames, andExtended Attributes, which are all within therealm of what eCryptfs can influence.
At this stage, eCryptfs requires extensive pro-filing and streamlining in order to optimize itsperformance. We need to investigate oppor-tunities for caching cryptographic metadata,and variations on such attributes as the size ofthe extents could have a significant impact onspeed.
eCryptfs policy files are equivalent to theApache configuration files in form and com-plexity. eCryptfs policy files are amenable toguided generation via user utilities. Anothersignificant area of future development includesthe development of such utilities to aid in thegeneration of these policy files.
Desktop environments such as GNOME orKDE can provide users with a convenient in-terface through which to work with the cryp-tographic properties of the files. In one sce-nario, by right-clicking on an icon represent-ing the file and selecting “Security”, the user
<Key mhalcrow>PKI GPGId 3F5C22A9
</Key>
<Key legal>PKI GPGId 7AB1FF25
</Key>
<Key host_tpm>PKI TPMId DEFAULT
</Key>
Figure 6: Example policy: key defs
will be presented with a window that can beused to control the encryption status of the file.Such options will include whether or not thefile is encrypted, which users should be ableto encrypt and decrypt the file (identified bytheir public keys as reported by the PKI pluginmodule), what cipher is used, what keylengthis used, an optional passphrase that is used toencrypt the symmetric key, whether or not touse keyed hashing over extents of the file forintegrity, the hash algorithms to use, whetheraccesses to the file when no key is availableshould result in an error or in the encryptedblocks being returned (as dictated by target-centric policies5.9), and other properties thatare interpreted and used by the eCryptfs layer.
8 Recognitions
We would like to express our appreciation forthe contributions and input on the part of allthose who have laid the groundwork for an ef-fort toward transparent filesystem encryption.
<ActionDef blowfish_encrypt>Action ENCRYPTCipher blowfishSessionKeySize 128
</ActionDef>
<ActionDef encrypt_strong>Action ENCRYPTCipher aesSessionKeySize 256
</ActionDef>
Figure 8: Example policy: action defs
This includes contributors to FiST and Cryptfs,GnuPG, PAM, and many others from whichwe are basing our development efforts, as wellas several members of the kernel developmentcommunity.
9 Conclusion
eCryptfs is an effort to reduce the barriers thatstand in the way of the effective and ubiqui-tous utilization of file encryption. This is espe-cially relevant as physical media remains ex-posed to theft and unauthorized access. When-ever sensitive data is being handled, it shouldbe themodus operandithat the data be en-crypted at all times when it is not directly beingaccessed in an authorized manner by the appli-cations. Through strong and transparent keymanagement that includes public key support,key->file association, and target-centric poli-cies, eCryptfs provides the means whereby acryptographic filesystem solution can be moreeasily and effectively deployed.
10 Availability
eCryptfs is licensed under the GNUGeneral Public License (GPL). Source-Forge is hosting the eCryptfs code baseat http://sourceforge.net/projects/ecryptfs . We welcomeany interested parties to become involved inthe testing and development of eCryptfs.
11 Legal Statement
This work represents the view of the author anddoes not necessarily represent the view of IBM.
IBM and Lotus Notes are registered trade-marks of International Business Machines Cor-poration in the United States, other countries,or both.
Other company, product, and service namesmay be trademarks or service marks of others.
References
[1] M. Blaze. “Key Management in an En-crypting File System”, Proc.Summer ’94USENIX Tech. Conference, Boston, MA,June 1994.
[2] J. Callas, L. Donnerhacke, H. Finney, andR. Thayer. RFC 2440. November 1998.See ftp://ftp.rfc-editor.org/in-notes/rfc2440.txt .
[3] M. Halcrow. “Demands, Solutions, andImprovements for Linux Filesystem Se-curity.” Proceedings of the 2004 OttawaLinux Symposium, Ottawa, Canada, July2004.
[4] S. C. Kothari. “Generalized Linear Thresh-old Scheme.” Advances in Cryptology:Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 231-241.
[5] M. Liedtke. “Stolen UC Berke-ley laptop exposes personal data ofnearly 100,000.” Associated Press.March 29, 2005. Seehttp://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2005/03/28/financial/f151143S80.DTL
[6] B. Schneier.Applied Cryptography. NewYork: John Wiley & Sons, Inc., 1996. Pp.193-197.
[7] The Trusted Computing Group.“TCG Specification ArchitectureOverview version 1.0.” https://www.trustedcomputinggroup.org/downloads/ TCG_1_0_Architecture_Overview.pdf
[8] E. Zadok, L. Badulescu, and A. Shen-der. “Cryptfs: A stackable vnode levelencryption file system.”Technical ReportCUCS-021-98, Computer Science Depart-ment, Columbia University, 1998.
[9] E. Zadok and J. Nieh. “FiST: A Languagefor Stackable File Systems.”Proceedingsof the Annual USENIX Technical Confer-ence, pp. 55-70, San Diego, June 2000.
[10] “Ameritrade addresses missing tape.”United Press International. April 19, 2005.See http://washingtontimes.com/upi-breaking/20050419-110638-7335r.htm
[11] For more information on IBM LotusNotes, see http://www-306.ibm.com/software/lotus/ . Informationon Notes security can be obtained fromhttp://www-10.lotus.com/ldd/today.nsf/f01245ebfc115aaf
8525661a006b86b9/232e604b847d2cad88256ab90074e298?OpenDocument
[12] For more information on PluggableAuthentication Modules (PAM), seehttp://www.kernel.org/pub/linux/libs/pam/
[13] For more information on MandatoryAccess Control (MAC), seehttp://csrc.nist.gov/publications/nistpubs/800-7/node35.html
[14] For more information on DiscretionaryAccess Control (DAC), seehttp://csrc.nist.gov/publications/nistpubs/800-7/node25.html
[15] For more information on openCryptoki,see http://sourceforge.net/projects/opencryptoki
[16] For more information on Security-Enhanced Linux (SE Linux), seehttp://www.nsa.gov/selinux/index.cfm
[17] For more information on Samhain, seehttp://la-samhna.de/samhain/
[18] For more information on DM-crypt,see http://www.saout.de/misc/dm-crypt/
[19] For more information on PPDD,see http://linux01.gwdg.de/~alatham/ppdd.html
[20] For more information on CFS, seehttp://sourceforge.net/projects/cfsnfs/
[21] For more information on BestCrypt, seehttp://www.jetico.com/index.htm#/products.htm
[22] For more information on TCFS, seehttp://www.tcfs.it/
[23] For more information on EncFS,see http://arg0.net/users/vgough/encfs.html
[24] For more information on CryptoFS, seehttp://reboot.animeirc.de/cryptofs/
[25] For more information on Reiser4, seehttp://www.namesys.com/v4/v4.html
[26] For more information on TrouSerS,see http://sourceforge.net/projects/trousers/
