e4crypt.8 (2879B)
- .TH E4CRYPT 8 "Aug 2021" "E2fsprogs version 1.46.4"
- .SH NAME
- e4crypt \- ext4 file system encryption utility
- .SH SYNOPSIS
- .B e4crypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] \fR[\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
- .br
- .B e4crypt new_session
- .br
- .B e4crypt get_policy \fIpath\fR ...
- .br
- .B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
- .SH DESCRIPTION
- .B e4crypt
- performs encryption management for ext4 file systems.
- .SH COMMANDS
- .TP
- .B e4crypt add_key \fR[\fB-vq\fR] [\fB-S\fI salt\fR ] [\fB-k \fIkeyring\fR ] [\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
- Prompts the user for a passphrase and inserts it into the specified
- keyring. If no keyring is specified, e4crypt will use the session
- keyring if it exists or the user session keyring if it does not.
- .IP
- The
- .I salt
- argument is interpreted in a number of different ways, depending on how
- its prefix value. If the first two characters are "s:", then the rest
- of the argument will be used as an text string and used as the salt
- value. If the first two characters are "0x", then the rest of the
- argument will be parsed as a hex string as used as the salt. If the
- first characters are "f:" then the rest of the argument will be
- interpreted as a filename from which the salt value will be read. If
- the string begins with a '/' character, it will similarly be treated as
- filename. Finally, if the
- .I salt
- argument can be parsed as a valid UUID, then the UUID value will be used
- as a salt value.
- .IP
- The
- .I keyring
- argument specifies the keyring to which the key should be added.
- .IP
- The
- .I pad
- value specifies the number of bytes of padding will be added to
- directory names for obfuscation purposes. Valid
- .I pad
- values are 4, 8, 16, and 32.
- .IP
- If one or more directory paths are specified, e4crypt will try to
- set the policy of those directories to use the key just added by the
- .B add_key
- command. If a salt was explicitly specified, then it will be used
- to derive the encryption key of those directories. Otherwise a
- directory-specific default salt will be used.
- .TP
- .B e4crypt get_policy \fIpath\fR ...
- Print the policy for the directories specified on the command line.
- .TP
- .B e4crypt new_session
- Give the invoking process (typically a shell) a new session keyring,
- discarding its old session keyring.
- .TP
- .B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
- Sets the policy for the directories specified on the command line.
- All directories must be empty to set the policy; if the directory
- already has a policy established, e4crypt will validate that the
- policy matches what was specified. A policy is an encryption key
- identifier consisting of 16 hexadecimal characters.
- .SH AUTHOR
- Written by Michael Halcrow <mhalcrow@google.com>, Ildar Muslukhov
- <muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
- .SH SEE ALSO
- .BR keyctl (1),
- .BR mke2fs (8),
- .BR mount (8).