Ext4 encryption

Posted May 20, 2018 12:00 UTC (Sun) by e4crypt (guest, #124524)
In reply to: Ext4 encryption by jem
Parent article: Ext4 encryption

Ok, so what happens if I make a link to an encrypted file so that there exists a (hard) link to it both inside the encrypted directory and outside of it?

The name of the link outside the protected directory will obviously remain unencrypted. The contents, however, will remain inaccessible until a correct key is in the keyring.

# truncate -s 2G storage
# mkfs.ext4 storage
# tune2fs -O encrypt storage
# mkdir mountpoint
# mount storage mountpoint
# cd mountpoint
# mkdir protected plain-text
# e4crypt add_key protected
# cd protected
# wget https://static.lwn.net/images/logo/barepenguin-70.png
# ln barepenguin-70.png ../plain-text
# file ../plain-text/barepenguin-70.png 
> ../plain-text/barepenguin-70.png: PNG image data, 70 x 81, 8-bit/color RGBA, non-interlaced
# cd ../..
# umount mountpoint
# e4crypt new_session
# mount storage mountpoint
# cd mountpoint
# file plain-text/barepenguin-70.png 
> plain-text/barepenguin-70.png: writable, regular file, no read permission
# cat plain-text/barepenguin-70.png 
> plain-text/barepenguin-70.png: Required key not available

Or if I make a (hard) link to a non-encrypted file that appears below the encrypted directory?

The system won't let you.

# touch plain-text/fuck_systemd
# ln plain-text/fuck_systemd protected
> ln: failed to create hard link 'protected/fuck_systemd' => 'plain-text/fuck_systemd': Operation not permitted

May 2018. Tested with kernel 4.14.40 and e2fsprogs 1.44.1.