TPM Keyring - eCryptfs Setup Guide

Send questions and comments to: ecryptfs-users@lists.sf.net.

This page was created to help in installing eCryptfs for use with TPM Keyring to share files securely amongst a group of machines.

Build

Download and untar the kernel. 2.6.18 is the latest stable release of the Linux kernel that eCryptfs has been built against. 

$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
$ tar jxvf linux-2.6.18.tar.bz2
$ cd linux-2.6.18
$ make menuconfig

If make menuconfig fails, you may need to install the ncurses-devel or ncurses2-devel packages. While in menuconfig, make sure to select your TPM's device driver under

Device Drivers > Character devices > TPM devices

You'll also need to select

Security options > Kernel Keyring support > Enable access key retention support

and any symmetric algorithms that you'd like to use under

Cryptographic options

Now, you'll need to edit 1 file to get the source compiling cleanly, include/linux/netlink.h. Add a #define for NETLINK_ECRYPTFS and give it a unique number: 

#define NETLINK_IP6_FW          13
#define NETLINK_DNRTMSG         14      /* DECnet routing messages */
#define NETLINK_KOBJECT_UEVENT  15      /* Kernel messages to userspace */
#define NETLINK_GENERIC         16
#define NETLINK_ENCRYPTFS       17

#define MAX_LINKS 32

struct sockaddr_nl
{
        sa_family_t     nl_family;      /* AF_NETLINK   */

Now save the file and build your kernel: 

$ make
# make modules_install
# make install

At this point, you'll need to have TrouSerS and openssl-devel installed on the machine. You can find instructions for how to do that here. Now, reboot into the new 2.6.18 kernel and download the eCryptfs tarball and related stuff: 

$ wget http://people.redhat.com/~dhowells/keyutils/keyutils-1.2.tar.bz2
$ wget http://easynews.dl.sourceforge.net/sourceforge/ecryptfs/ecryptfs-20060921.tar.bz2
$ wget http://trousers.sf.net/tpm_keyring2/ecryptfs-tpm_pki-0927.patch
$ tar jxvf keyutils-1.2.tar.bz2
$ cd keyutils-1.2
$ make

Sometimes, making the keyutils packages fails. If so, you'll need to point it to your kernel build tree. Edit the Makefile, adding the path to your tree: 

CFLAGS          := -g -O2 -Wall -I/path/to/linux-2.6.18/include
INSTALL         := install
DESTDIR         :=
MAJOR           := 1
MINOR           := 2
VERSION         := $(MAJOR).$(MINOR)
NO_GLIBC_KEYERR := 0
NO_GLIBC_KEYSYS := 0
NO_ARLIB        := 0
BUILDFOR        :=
ETCDIR          := /etc

After make succeeds, install and continue with the builds: 

# make install
$ tar jxvf ecryptfs-20060921.tar.bz2
$ cd ecryptfs-20060921
$ patch -p1 < ../ecryptfs-tpm_pki-0927.patch
# ./install.sh

This will install an eCryptfs kernel module and the user-space tools. You're done!

SourceForge.net Logo