Affected by 
Documentation
¶
Overview ¶
Package keyring manages adding, removing, and getting the status of encryption policy keys to/from the kernel. Most public functions are in keyring.go, and they delegate to either user_keyring.go or fs_keyring.go, depending on whether a user keyring or a filesystem keyring is being used.
v2 encryption policies always use the filesystem keyring. v1 policies use the user keyring by default, but can be configured to use the filesystem keyring instead (requires root and kernel v5.4+).
Index ¶
Constants ¶
const ( KeyStatusUnknown = 0 + iota KeyAbsent KeyAbsentButFilesBusy KeyPresent KeyPresentButOnlyOtherUsers )
The possible values of KeyStatus.
const KeyType = "logon"
KeyType is always logon as required by filesystem encryption.
Variables ¶
var ( ErrKeyAdd = util.SystemError("could not add key to the keyring") ErrKeyRemove = util.SystemError("could not remove key from the keyring") ErrKeyNotPresent = errors.New("key not present or already removed") ErrKeyFilesOpen = errors.New("some files using the key are still open") ErrKeyAddedByOtherUsers = errors.New("other users have added the key too") ErrKeySearch = errors.New("could not find key with descriptor") ErrSessionUserKeying = errors.New("user keyring not linked into session keyring") ErrAccessUserKeyring = errors.New("could not access user keyring") ErrLinkUserKeyring = util.SystemError("could not link user keyring into root keyring") )
Keyring error values
Functions ¶
func AddEncryptionKey ¶
AddEncryptionKey adds an encryption policy key to a kernel keyring. It uses either the filesystem keyring for the target Mount or the user keyring for the target User.
func RemoveEncryptionKey ¶
RemoveEncryptionKey removes an encryption policy key from a kernel keyring. It uses either the filesystem keyring for the target Mount or the user keyring for the target User.
func UserKeyringID ¶
UserKeyringID returns the key id of the target user's user keyring. We also ensure that the keyring will be accessible by linking it into the thread keyring and linking it into the root user keyring (permissions allowing). If checkSession is true, an error is returned if a normal user requests their user keyring, but it is not in the current session keyring.
Types ¶
type KeyStatus ¶
type KeyStatus int
KeyStatus is an enum that represents the status of a key in a kernel keyring.
func GetEncryptionKeyStatus ¶
GetEncryptionKeyStatus gets the status of an encryption policy key in a kernel keyring. It uses either the filesystem keyring for the target Mount or the user keyring for the target User.
type Options ¶
type Options struct {
// Mount is the filesystem to which the key should be
// added/removed/gotten.
Mount *filesystem.Mount
// User is the user for whom the key should be added/removed/gotten.
User *user.User
// Service is the prefix to prepend to the description of the keys in
// user keyrings. Not relevant for filesystem keyrings.
Service string
// UseFsKeyringForV1Policies is true if keys for v1 encryption policies
// should be put in the filesystem's keyring (if supported) rather than
// in the user's keyring. Note that this makes AddEncryptionKey and
// RemoveEncryptionKey require root privileges.
UseFsKeyringForV1Policies bool
}
Options are the options which specify *which* keyring the key should be added/removed/gotten to, and how.
Source Files