1E4CRYPT(8)                  System Manager's Manual                 E4CRYPT(8)
2
3
4

NAME

6       e4crypt - ext4 filesystem encryption utility
7

SYNOPSIS

9       e4crypt add_key -S [ -k keyring ] [-v] [-q] [ -p pad ] [ path ... ]
10       e4crypt new_session
11       e4crypt get_policy path ...
12       e4crypt set_policy [ -p pad ] policy path ...
13

DESCRIPTION

15       e4crypt performs encryption management for ext4 file systems.
16

COMMANDS

18       e4crypt add_key [-vq] [-S salt ] [-k keyring ] [ -p pad ] [ path ... ]
19              Prompts the user for a passphrase and inserts it into the speci‐
20              fied keyring.  If no keyring is specified, e4crypt will use  the
21              session  keyring  if it exists or the user session keyring if it
22              does not.
23
24              The salt argument is interpreted in a number of different  ways,
25              depending  on how its prefix value.  If the first two characters
26              are "s:", then the rest of the argument will be used as an  text
27              string  and used as the salt value.  If the first two characters
28              are "0x", then the rest of the argument will be parsed as a  hex
29              string  as  used  as the salt.  If the first characters are "f:"
30              then the rest of the argument will be interpreted as a  filename
31              from  which  the  salt value will be read.  If the string begins
32              with a '/' character, it will similarly be treated as  filename.
33              Finally,  if  the  salt  argument can be parsed as a valid UUID,
34              then the UUID value will be used as a salt value.
35
36              The keyring argument specifies the  keyring  to  which  the  key
37              should be added.
38
39              The  pad  value specifies the number of bytes of padding will be
40              added to directory names for obfuscation  purposes.   Valid  pad
41              values are 4, 8, 16, and 32.
42
43              If  one  or more directory paths are specified, e4crypt will try
44              to set the policy of those directories to use the key just added
45              by  the  add_key  command.   If a salt was explicitly specified,
46              then it will be used to derive the encryption key of  those  di‐
47              rectories.   Otherwise a directory-specific default salt will be
48              used.
49
50       e4crypt get_policy path ...
51              Print the policy for the directories specified  on  the  command
52              line.
53
54       e4crypt new_session
55              Give  the  invoking  process  (typically  a shell) a new session
56              keyring, discarding its old session keyring.
57
58       e4crypt set_policy [ -p pad ] policy path ...
59              Sets the policy for the directories  specified  on  the  command
60              line.   All  directories must be empty to set the policy; if the
61              directory already has a policy established, e4crypt  will  vali‐
62              date that the policy matches what was specified.  A policy is an
63              encryption key identifier consisting of 16  hexadecimal  charac‐
64              ters.
65

AUTHOR

67       Written by Michael Halcrow <mhalcrow@google.com>, Ildar Muslukhov <mus‐
68       lukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
69

SEE ALSO

71       keyctl(1), mke2fs(8), mount(8).
72
73
74
75E2fsprogs version 1.46.3           July 2021                        E4CRYPT(8)
Impressum