1F2FSCRYPT(8) System Manager's Manual F2FSCRYPT(8)
2
3
4
6 f2fscrypt - f2fs filesystem encryption utility
7
9 f2fscrypt add_key -S [ -k keyring ] [-v] [-q] [ path ... ]
10 f2fscrypt new_session
11 f2fscrypt get_policy path ...
12 f2fscrypt set_policy policy path ...
13
15 f2fscrypt performs encryption management for f2fs file systems.
16
18 f2fscrypt add_key -S [ -k keyring ] [-v] [-q] [ path ... ]
19 Prompts the user for a passphrase and inserts it into the speci‐
20 fied keyring. If no keyring is specified, f2fscrypt will use
21 the session keyring if it exists or the user session keyring if
22 it does not.
23
24 If one or more directory paths are specified, f2fscrypt will try
25 to set the policy of those directories to use the key just
26 entered by the user.
27
28 f2fscrypt get_policy path ...
29 Print the policy for the directories specified on the command
30 line.
31
32 f2fscrypt new_session
33 Give the invoking process (typically a shell) a new session
34 keyring, discarding its old session keyring.
35
36 f2fscrypt set_policy policy path ...
37 Sets the policy for the directories specified on the command
38 line. All directories must be empty to set the policy; if the
39 directory already has a policy established, f2fscrypt will vali‐
40 date that the policy matches what was specified. A policy is an
41 encryption key identifier consisting of 16 hexadecimal charac‐
42 ters.
43
45 The target directory must be empty.
46
48 Formats a f2fs filesytem that supports encrypt.
49
50 # mkfs.f2fs -O encrypt /dev/sdxx
51 # mount /dev/sdxx /encrypted/
52 # mkdir /encrypted/dir
53
54 First create the key in the keyring use an simple salt
55 (or generate a random salt).
56 Then use it to set the policy for the directory to be encrypted.
57
58 # f2fscrypt add_key -S 0x1234
59 Enter passphrase (echo disabled):
60 Added key with descriptor [28e21cc0c4393da1]
61
62 # f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
63 Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.
64
65 # touch /encrypted/dir/test.txt
66 # ls -l /encrypted/dir/
67 -rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt
68
69 After each reboot, the same command can be used set the key for
70 decryption of the directory and its descendants.
71
72 # ls -l /encrypted/dir/
73 -rw-r--r--. 1 root root 0 Mar 5 21:41 zbx7tsUEMLzh+AUVMkQcnB
74
75 # f2fscrypt get_policy /encrypted/dir/
76 /encrypted/dir/: 28e21cc0c4393da1
77
78 # f2fscrypt add_key -S 0x1234
79 Enter passphrase (echo disabled):
80 Added key with descriptor [28e21cc0c4393da1]
81
82 # ls -l /encrypted/dir/
83 -rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt
84
85 Show process keyrings.
86
87 # keyctl show
88 Session Keyring
89 84022412 --alswrv 0 0 keyring: _ses
90 204615789 --alswrv 0 65534 \_ keyring: _uid.0
91 529474961 --alsw-v 0 0 \_ logon: f2fs:28e21cc0c4393da1
92
93
95 Written by Kinglong Mee <kinglongmee@gmail.com>, Migrated from e4crypt
96 that Written by Michael Halcrow <mhalcrow@google.com>, Ildar Muslukhov
97 <muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
98
100 keyctl(1), mkfs.f2fs(8), mount(8).
101
102
103
104 F2FSCRYPT(8)