diff options
Diffstat (limited to 'doc')
31 files changed, 3366 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..22ffd69 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,15 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in + +SUBDIRS = manpage + +dist_doc_DATA = +dist_noinst_DATA = +dist_html_DATA = ecryptfs-faq.html + +if BUILD_PKCS11_HELPER +dist_doc_DATA += ecryptfs-pkcs11-helper-doc.txt +else +dist_noinst_DATA += ecryptfs-pkcs11-helper-doc.txt +endif + +dist_pkgdata_DATA = ecryptfs-mount-private.txt diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 0000000..780db99 --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,808 @@ +# Makefile.in generated by automake 1.13.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +@BUILD_PKCS11_HELPER_TRUE@am__append_1 = ecryptfs-pkcs11-helper-doc.txt +@BUILD_PKCS11_HELPER_FALSE@am__append_2 = ecryptfs-pkcs11-helper-doc.txt +subdir = doc +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(am__dist_doc_DATA_DIST) $(dist_html_DATA) \ + $(am__dist_noinst_DATA_DIST) $(dist_pkgdata_DATA) +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ac_pkg_swig.m4 \ + $(top_srcdir)/m4/ac_python_devel.m4 \ + $(top_srcdir)/m4/intltool.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/swig_python.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__dist_doc_DATA_DIST = ecryptfs-pkcs11-helper-doc.txt +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)" \ + "$(DESTDIR)$(pkgdatadir)" +am__dist_noinst_DATA_DIST = ecryptfs-pkcs11-helper-doc.txt +DATA = $(dist_doc_DATA) $(dist_html_DATA) $(dist_noinst_DATA) \ + $(dist_pkgdata_DATA) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + distdir +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" +ACLOCAL = @ACLOCAL@ +ALL_LINGUAS = @ALL_LINGUAS@ +AMTAR = @AMTAR@ +AM_CPPFLAGS = @AM_CPPFLAGS@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CATALOGS = @CATALOGS@ +CATOBJEXT = @CATOBJEXT@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DATADIRNAME = @DATADIRNAME@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +DVIPS = @DVIPS@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GETTEXT_PACKAGE = @GETTEXT_PACKAGE@ +GMOFILES = @GMOFILES@ +GMSGFMT = @GMSGFMT@ +GPGME_CFLAGS = @GPGME_CFLAGS@ +GPGME_LIBS = @GPGME_LIBS@ +GREP = @GREP@ +GTK_CFLAGS = @GTK_CFLAGS@ +GTK_LIBS = @GTK_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INSTOBJEXT = @INSTOBJEXT@ +INTLLIBS = @INTLLIBS@ +INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@ +INTLTOOL_MERGE = @INTLTOOL_MERGE@ +INTLTOOL_PERL = @INTLTOOL_PERL@ +INTLTOOL_UPDATE = @INTLTOOL_UPDATE@ +INTLTOOL_V_MERGE = @INTLTOOL_V_MERGE@ +INTLTOOL_V_MERGE_OPTIONS = @INTLTOOL_V_MERGE_OPTIONS@ +INTLTOOL__v_MERGE_ = @INTLTOOL__v_MERGE_@ +INTLTOOL__v_MERGE_0 = @INTLTOOL__v_MERGE_0@ +KEYUTILS_CFLAGS = @KEYUTILS_CFLAGS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +LATEX = @LATEX@ +LATEX2HTML = @LATEX2HTML@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBECRYPTFS_LT_AGE = @LIBECRYPTFS_LT_AGE@ +LIBECRYPTFS_LT_CURRENT = @LIBECRYPTFS_LT_CURRENT@ +LIBECRYPTFS_LT_REVISION = @LIBECRYPTFS_LT_REVISION@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LOCALEDIR = @LOCALEDIR@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGFMT_OPTS = @MSGFMT_OPTS@ +MSGMERGE = @MSGMERGE@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_CFLAGS = @PAM_CFLAGS@ +PAM_LIBS = @PAM_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ +PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POD2MAN = @POD2MAN@ +POFILES = @POFILES@ +POSUB = @POSUB@ +PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@ +PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@ +PS2PDF = @PS2PDF@ +PYTHON = @PYTHON@ +PYTHON_CPPFLAGS = @PYTHON_CPPFLAGS@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_EXTRA_LDFLAGS = @PYTHON_EXTRA_LDFLAGS@ +PYTHON_EXTRA_LIBS = @PYTHON_EXTRA_LIBS@ +PYTHON_LDFLAGS = @PYTHON_LDFLAGS@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_SITE_PKG = @PYTHON_SITE_PKG@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +SWIG = @SWIG@ +SWIG_LIB = @SWIG_LIB@ +SWIG_PYTHON_CPPFLAGS = @SWIG_PYTHON_CPPFLAGS@ +SWIG_PYTHON_OPT = @SWIG_PYTHON_OPT@ +TAR = @TAR@ +TSPI_CFLAGS = @TSPI_CFLAGS@ +TSPI_LIBS = @TSPI_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +ecryptfskeymoddir = @ecryptfskeymoddir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +intltool__v_merge_options_ = @intltool__v_merge_options_@ +intltool__v_merge_options_0 = @intltool__v_merge_options_0@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pamdir = @pamdir@ +pamlibdir = @pamlibdir@ +pdfdir = @pdfdir@ +pkgconfigdir = @pkgconfigdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +rootsbindir = @rootsbindir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +SUBDIRS = manpage +dist_doc_DATA = $(am__append_1) +dist_noinst_DATA = $(am__append_2) +dist_html_DATA = ecryptfs-faq.html +dist_pkgdata_DATA = ecryptfs-mount-private.txt +all: all-recursive + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign doc/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_docDATA: $(dist_doc_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ + done + +uninstall-dist_docDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) +install-dist_htmlDATA: $(dist_html_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_html_DATA)'; test -n "$(htmldir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(htmldir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(htmldir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(htmldir)" || exit $$?; \ + done + +uninstall-dist_htmlDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_html_DATA)'; test -n "$(htmldir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(htmldir)'; $(am__uninstall_files_from_dir) +install-dist_pkgdataDATA: $(dist_pkgdata_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgdatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \ + done + +uninstall-dist_pkgdataDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir) + +# This directory's subdirectories are mostly independent; you can cd +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-recursive +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-recursive + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-recursive + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-recursive +all-am: Makefile $(DATA) +installdirs: installdirs-recursive +installdirs-am: + for dir in "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)" "$(DESTDIR)$(pkgdatadir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-recursive + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-recursive + -rm -f Makefile +distclean-am: clean-am distclean-generic distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +html-am: + +info: info-recursive + +info-am: + +install-data-am: install-dist_docDATA install-dist_htmlDATA \ + install-dist_pkgdataDATA + +install-dvi: install-dvi-recursive + +install-dvi-am: + +install-exec-am: + +install-html: install-html-recursive + +install-html-am: + +install-info: install-info-recursive + +install-info-am: + +install-man: + +install-pdf: install-pdf-recursive + +install-pdf-am: + +install-ps: install-ps-recursive + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: uninstall-dist_docDATA uninstall-dist_htmlDATA \ + uninstall-dist_pkgdataDATA + +.MAKE: $(am__recursive_targets) install-am install-strip + +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ + check-am clean clean-generic clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-dist_docDATA install-dist_htmlDATA \ + install-dist_pkgdataDATA install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ + uninstall-dist_htmlDATA uninstall-dist_pkgdataDATA + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/ecryptfs-faq.html b/doc/ecryptfs-faq.html new file mode 100644 index 0000000..68282a3 --- /dev/null +++ b/doc/ecryptfs-faq.html @@ -0,0 +1,748 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<html> +<head> +<title> +eCryptfs +</title> +</head> +<body> + +<h1>eCryptfs</h1> +<h3>FAQ</h3> + +<hr> + +<a href="http://ecryptfs.org">Main Page</a> + +<hr> + +<table width="640"> +<tr> +<td> + +<p> + +<h3>Index</h3> + +<ul> + +<li><a href="#novelty">What is novel about eCryptfs?</a></li> + +<li><a href="#versions">What versions of the kernel have eCryptfs +support?</a></li> + +<li><a href="#deployment">Will eCryptfs by itself protect all my +data?</a></li> + +<li><a href="#access_lower">Can I access the lower files while +eCryptfs is mounted?</a></li> + +<li><a href="#options">What kernel options do I need to enable to +build eCryptfs?</a></li> + +<li><a href="#compatibility">On what filesystems can I expect eCryptfs +to function?</a></li> + +<li><a href="#stack">Why is the kernel stack such an issue with +eCryptfs?</a></li> + +<li><a href="#ecryptfsd">What is <code>ecryptfsd</code>?</a></li> + +<li><a href="#ecryptfs-manager">What is +<code>ecryptfs-manager</code>?</a></li> + +<li><a href="#nonroot">Do I have to be root to mount +eCryptfs?</a></li> + +<li><a href="#xattr">How do I store the metadata in the extended +attribute region of the lower file?</a></li> + +<li><a href="#encryptedview">I am using the <code>-o xattr</code> +option, but my backup tools do not preserve extended attributes. How +can I back up the lower files?</a></li> + +<li><a href="#sparse">What about sparse files?</a></li> + +<li><a href="#passphrase">How should I select my passphrase?</a></li> + +<li><a href="#protectkey">How can I protect my key?</a></li> + +<li><a href="#lostkey">I forgot my password/lost my key! What can I do +to recover my data?</a></li> + +<li><a href="#compare">How does eCryptfs compare with other Linux disk +encryption solutions?</a></li> + +<li><a href="#no-ecryptfsac">Once one user can access an eCryptfs +file, any users with permission can also access the file. Should not +eCryptfs require all users to have the key in order to access the +files?</a></li> + +<li><a href="#initcipher">"<code>Unable to allocate crypto cipher +with name [---]; rc = [-2]</code>"</a></li> + +<li><a href="#baddir">"<code>Error mounting eCryptfs; rc = [-2]; +strerr = [No such file or directory]</code>"</a></li> + +<li><a href="#einval">"<code>Error mounting eCryptfs; rc = [-22]; +strerr = [Invalid argument]</code>"</a></li> + +<li><a href="#keyproblem">"<code>ecryptfs_parse_options: Could +not find key with description: [deadbeaf...]"</code></a></li> + +<li><a href="#sigsize">"<code>ecryptfs_parse_packet_set: Expected +signature of size [8]; read size [7]"</code></a></li> + +<li><a href="#nothere">My question isn't answered here.</a></li> + +</ul> +</p> + +</p> + +<a name="novelty"> + +<p><h3>Q. What is novel about eCryptfs?</h3></p> + +<p> +Well, nothing, to be honest. All of the techniques used in eCryptfs +are directly based on cryptographic technology that was widely known +and in practical use in the 1970's. +</p> + +<p> +Security problems often arise when software tries to ``invent its own +crypto'' by deviating from what has been in common practical use for a +lengthy period of time. eCryptfs sticks to tried-and-true encryption +technology. +</p> + +<p> +In terms of per-file key management, eCryptfs simply uses the methods +of PGP (created by Philip Zimmermann in 1991 and formally specified as +a public standard in RFC2440 in 1998) and takes the obvious and +conceptually trivial step of applying those methods within a +filesystem service in the kernel. eCryptfs employs the well-weathered +encryption techniques that have been in common use in the community +for over two decades. Other cryptographic filesystems published and +widely used in the 1990's use the same basic approach to encrypting +files. eCryptfs just happens to be the first such filesystem to make +it upstream in the Linux kernel. +</p> + +<a name="versions"> + +<p><h3>Q. What versions of the kernel have eCryptfs support?</h3></p> + +<p> +Linux kernel versions 2.6.19 and later have eCryptfs support. The +official mainline kernel is supported and is in active development. +</p> + +<a name="deployment"> + +<p><h3>Q. Will eCryptfs by itself protect all my data?</h3></p> + +<p> +eCryptfs is just one component in a comprehensive set of mechanisms to +protect the confidentiality of your data. Simply mounting eCryptfs +over a directory in your home directory will probably not provide +sufficient coverage for everything your applications will write to +disk. For instance, applications that produce and store thumbnails of +your images may write the thumbnails to an unprotected location. +</p> + +<p> +Sensitive application data will typically wind up in the following +locations, although some applications will write data to other +locations not listed here: +</p> + +<ul> +<li>Anywhere in your home directory</li> +<li>The /tmp directory</li> +<li>The /var directory</li> +<li>The swap device</li> +</ul> + +<p> +The /tmp directory and the swap device can be easily protected with +dm-crypt using a key randomly generated when the system is booted, +since the information in those locations does not need to persist +between reboots. eCryptfs must mount the /var directory prior to any +daemons or other system applications reading from or writing to that +location (including the syslog utility). eCryptfs must also mount over +the user's home directory prior to the user logging into the system. +</p> + +<p> +You will need to consider other applications that diverge from +traditional paths for storing data on a case-by-case basis. Analyzing +application behavior with the kernel auditing system is one way to +profile the behavior of an application, and explicit SE Linux rules +that only allow applications to write to encrypted mountpoints helps +prevent inadvertent information leakage. We recommend always using +eCryptfs together with appropriate Mandatory Access Control (MAC) +mechanisms to ensure that your sensitive data is always encrypted. +</p> + +<p> +Proper deployment of a comprehensive per-file encryption mechanism is +a task best tackled by the entire Linux distribution. The eCryptfs +team is working closely with various major Linux distributions to help +ensure that eCryptfs is properly used as one component of a +comprehensive data protection strategy. +</p> + +<a name="access_lower"> + +<p><h3>Q. Can I access the lower files while eCryptfs is mounted?</h3></p> + +<p> +Accessing the lower files during an active eCryptfs mount is somewhat +like accessing a block device on which ext3 is mounted. The kernel +allows it, and it may work (depending on what you do with the data), +but it is not a good idea. +</p> + +<a name="options"> + +<p><h3>Q. What kernel options do I need to enable to build +eCryptfs?</h3></p> + +<p> +<code> +Code maturity level options ---><br> + [*] Prompt for development and/or incomplete code/drivers<br> +<br> +Security options ---><br> + <M> Enable access key retention support<br> +<br> +Cryptographic options ---><br> + <M> MD5 digest algorithm<br> + <M> AES cipher algorithms<br> +<br> +File systems ---><br> + Miscellaneous filesystems ---><br> + <M> eCrypt filesystem layer support (EXPERIMENTAL)<br> +<br> +Recommended .config options (some options not available in older kernels):<br> +CONFIG_EXPERIMENTAL=y<br> +CONFIG_KEYS=y<br> +CONFIG_CRYPTO=y<br> +CONFIG_CRYPTO_ALGAPI=y<br> +CONFIG_CRYPTO_BLKCIPHER=y<br> +CONFIG_CRYPTO_HASH=y<br> +CONFIG_CRYPTO_MANAGER=y<br> +CONFIG_CRYPTO_MD5=y<br> +CONFIG_CRYPTO_ECB=y<br> +CONFIG_CRYPTO_CBC=y<br> +CONFIG_CRYPTO_AES=y<br> +CONFIG_ECRYPT_FS=m +</code> +</p> + +<p> +Newer versions of the Linux kernel now have a ``Layered filesystems'' +submenu under the ``File systems'' menu, where eCryptfs and Unionfs +reside. +</p> + +<p> +Make certain that you have loaded all of the crypto modules that you +need to run eCryptfs. This includes <code>ecb</code>, +<code>cbc</code>, <code>md5</code>, and at least one popular symmetric +cipher, like <code>aes</code>. +</p> + +<a name="compatibility"> + +<p><h3>Q. On what filesystems can I expect eCryptfs to function?</h3></p> + +<p> +eCryptfs has been well tested on EXT3, EXT4, XFS and it should work well on +other popular local filesystems such as JFS, ReiserFS, and so +forth. Changes in the 2.6.24 kernel make eCryptfs more functional on +NFS and CIFS, although there is still a little more work to do in +order to make eCryptfs function as well on networked filesystems as it +currently works on local filesystems. This <a +href="https://bugs.launchpad.net/ecryptfs/+bug/277578">bug</a> +tracks the issues around making eCryptfs work on top of NFS, CIFS, Samba +and WebDAV. +</p> + +<a name="stack"> + +<p><h3>Q. Why is the kernel stack such an issue with eCryptfs?</h3></p> + +<p> +eCryptfs is a stacked filesystem. This implies that eCryptfs adds on +top of whatever call stack exists with current filesystems. Each +process in the Linux kernel has a fixed maximum stack size (4k+4k or +8k). Some filesystems (such as XFS) push the limit of the stack by +themselves; adding eCryptfs on top may cause a stack overflow on these +filesystems. If you wish to use eCryptfs on XFS, I recommend that you +first perform stress tests to help determine whether your specific +configuration will lead to a kernel process stack overflow. +</p> + +<a name="nonroot"> + +<p><h3>Q. Do I have to be root to mount eCryptfs?</h3></p> + +<p> +eCryptfs mounts can be set up to be done by non-root users, using +the <code>ecryptfs-setup-private</code> utility. The root user +can also setup mount points in <code>/etc/fstab</code>, but the +non-root users will need to manually load their keys into the +kernel keyring. +</p> + +<a name="xattr"> + +<p><h3>Q. How do I store the metadata in the extended attribute region +of the lower file?</h3></p> + +<p> +If your kernel has support for it, mount with the <code>-o +xattr</code> option. Be sure to preserve the extended attributes in +the lower files, or you will lose your data. Bear in mind that many +userspace utilities such as <code>tar</code> lack extended attribute +support, and so you need to use utilities like <code>star</code> with +the proper options instead. +</p> + +<a name="encryptedview"> + +<p><h3>Q. I am using the <code>-o xattr</code> option, but my backup +tools do not preserve extended attributes. How can I back up the lower +files?</h3></p> + +<p> +Mount with the <code>-o encrypted_view</code> flag and read the files +from under the eCryptfs mount point. The files read will be encrypted, +and the cryptographic metadata will be in the headers of the encrypted +files that are passed through, even if this metadata is actually +stored in the extended attribute regions of the lower files. +</p> + +<a name="sparse"> + +<p><h3>Q. What about sparse files?</h3></p> + +<p> +eCryptfs does not currently support sparse files. Sequences of +encrypted extents with all 0's could be interpreted as sparse regions +in eCryptfs without too much implementation complexity. However, this +would open up a possible attack vector, since the fact that certain +segments of data are all 0's could betray strategic information that +the user does not necessarily want to reveal to an attacker. For +instance, if the attacker knows that a certain database file with +patient medical data keeps information about viral infections in one +region of the file and information about diabetes in another section +of the file, then the very fact that the segment for viral infection +data is populated with data at all would reveal that the patient has a +viral infection. +</p> + +<a name="passphrase"> + +<p><h3>Q. How should I select my passphrase?</h3></p> + +<p> +There are plenty of good guides out there to help you choose a strong +passphrase. Here is one, for instance: <a +href="http://www.iusmentis.com/security/passphrasefaq/">http://www.iusmentis.com/security/passphrasefaq/</a>. +</p> + +<a name="protectkey"> + +<p><h3>Q. How can I protect my key?</h3></p> + +<p> +Make a copy and store it in a physically secure location. For +instance, copy your public/private keypair to a USB flash drive or +write your passphrase onto a sheet of paper. Then, lock the drive and +paper in your desk drawer or put them in a safe deposit box (depending +on the sensitivity of the data that the keys protect). Future versions +of eCryptfs userspace utilities may implement key splitting functions +to provide even more paranoid levels of key protection. +</p> + +<p> +Do not store your keys under the same physical security context in +which you are storing your media. It should be much harder for an +attacker to get to your keys than it is for him to get to your media. +</p> + +<p> +When you use public key mode and generate a new key using +<code>ecryptfs-manager</code>, the generated key file is the one that +you must back up in order to access your files. +</p> + +<p> +When mounting with a new key, I recommend performing a full mount, +creating a new file, unmounting, clearing the user session keyring +(<code>keyctl clear @u</code>), mounting again, and then trying to +access the newly created file. This minimizes the likelihood that you +will mistype a passphrase and create files that you will not be able +to later recover. When mounting in passphrase mode, make sure that the +ecryptfs_sig value matches between mounts. To help avoid the pitfall +of mistyping a passphrase on mount, eCryptfs stores a cache of +previous ecryptfs_sig values and warns the user if a mount passphrase +does not match any passphrases used for previous mounts. +</p> + +<a name="lostkey"> + +<p><h3>Q. I forgot my password/lost my key! What can I do to recover +my data?</h3></p> + +<p> +Nothing; you're screwed. (<a +href="http://www.cskk.ezoshosting.com/cs/goodstuff/bs-spc.html">Apologies</a> +to Bruce Schneier). +</p> + +<p> +If you have forgotten your passphrase, your only hope is that you +chose a weak passphrase in the first place. There is an outside chance +that you might be able to perform a successful dictionary attack to +recover your passphrase. If you manage to recover your passphrase that +way, then you may as well have not been bothering to encrypt your data +in the first place, since a malicious attacker could have done the +exact same thing to recover your passphrase. +</p> + +<p> +If you selected a strong passphrase or lost your key file, you are +completely out of luck. Nobody can help you recover your data. +</p> + +<a name="compare"> + +<p><h3>Q. How does eCryptfs compare with other Linux disk encryption +solutions?</h3></p> + +<p> +eCryptfs is an actual filesystem. Some other popular disk encryption +technologies are not filesystems; they are block device encryption +layers (they provide what appears to be a physical block device to +some actual filesystem). There is no filesystem logic in these +layers. A few of the more well-known block device encryption layers +include dm-crypt, Truecrypt, and Loop-AES. Perhaps the best thing +about block device-layer encryption is that it is an order of +magnitude simpler to implement than filesystem-layer +encryption. Another advantage of block device-layer encryption is that +it will encrypt the entire filesystem, including all of the filesystem +metadata. However, for many use cases, this can turn out to be more of +a disadvantage than an advantage. +</p> + +<p> +While eCryptfs uses a powerful and flexible approach to protecting +filesystem content, block device-layer encryption technology is still +required to protect swap space and certain databases that use their +own block device partition. The table below provides a +compare-and-constrast of the two technologies. I anticipate that block +device encryption will be the best solution for some people, while +stacked filesystem encryption will be the best solution for +others. Sometimes it even makes sense to use them both together, to +combine the comprehensive full-disk encryption of a block device layer +encryption technology with the transparent per-file encryption +provided by eCryptfs (this will result in double-encryption of the +file contents). +</p> + +<br> + +<table border=1 cellspacing=5 cellpadding=4> + +<tr> + <td width="50%"><center><b>Block Device Encryption</b></center></td> + <td width="50%"><center><b>Stacked Filesystem Encryption</b></center></td> +</tr> + +<tr> + <td>Simple in concept and implementation; just transform blocks as + they pass through.</td> + <td>High level of design complexity; meticulous handling of internal + filesystem primitives required.</td> +</tr> + +<tr> + <td>Must allocate a block device to dedicate for the entire + filesystem.</td> + <td>Stacks on top of existing mounted filesystems; requires no special + on-disk storage allocation effort.</td> +</tr> + +<tr> + <td>Everything in the filesystem incurs the cost of encryption and + decryption, regardless of the confidentiality requirements for the + data.</td> + <td>Selective encryption of the contents of only the sensitive + files.</td> +</tr> + +<tr> + <td>Fully protects the confidentiality of the directory structures, + superblocks, file sizes, file permissions, and so forth.</td> + <td>Cannot keep all filesystem metadata confidential. Since stacked + filesystems encrypt on a per-file basis, attackers will know the + approximate file sizes, for instance.</td> +</tr> + +<tr> + <td>Coarse granularity; only fixed per-mountpoint encryption policies + are possible.</td> + <td>Fine granularity; flexible per-file encryption policies are + possible.</td> +</tr> + +<tr> + <td>No notion of ``encrypted files.'' Individual files must be + re-encrypted via a userspace application before written to backups, + sent via email, etc.</td> + <td>Individual encrypted files can be accessed transparently by + applications; no additional work needed on the part of applications + before moving the files to another location.</td> +</tr> + +<tr> + <td>Clients cannot use directly on networked filesystems; encryption + must be set up and managed on the server, or the client must encase + all of his files in a loopback mount, losing the per-file granularity + from the perspective of other clients.</td> + <td>Clients can stack on locally mounted networked filesystems; + individual files are sent to the server and stored in encrypted + form.</td> </tr> +<tr> + <td>Can protect databases that use their own dedicated block device.</td> + <td>Can only protect databases that write their tables to regular + files in an existing filesystem.</td> +</tr> + +<tr> + <td>Used to protect swap space.</td> + <td>Not designed to protect swap space; we recommend using block + device encryption to protect swap space while using eCryptfs on the + filesystem.</td> +</tr> + +<tr> + <td>Possible to hide the fact that the partition is encrypted.</td> + <td>The fact that encrypted data exists on the device is obvious to an + observer.</td> +</tr> + +<tr> + <td>Filesystem-agnostic; any filesystem will work on an encrypted + block device.</td> + <td>Can only be expected to work with existing filesystems that are + upstream in the official Linux kernel.</td> +</tr> + +</table> + +<p> +EncFS is another popular cryptographic filesystem that behaves much +like a stacked filesystem. EncFS is a userspace filesystem, and so +individual page reads and writes require additional context switches +between kernel and userspace. One advantage a userspace cryptographic +filesystem is that it is possible to use symmetric ciphers implemented +in userspace libraries, but the frequent context switching impacts +performance. +</p> + +<a name="no-ecryptfsac"> + +<p><h3>Once one user can access an eCryptfs file, any users with +permission can also access the file. Should not eCryptfs require all +users to have the key in order to access the files?</h3></p> + +<p> +eCryptfs deliberately makes no attempt to re-implement the +discretionary and mandatory access control mechanisms already present +in the Linux kernel. eCryptfs will simply require that a File +Encryption Key (FEK) be associated with any given inode in order to +decrypt the contents of the file on disk. This prevents an attacker +from accessing the file contents outside the context of the trusted +host environment; for instance, by removing the storage device or by +booting a live CD. This is the only type of unauthorized access that +eCryptfs is intended to prevent. +</p> + +<p> +Once eCryptfs has associated that FEK with the inode, it does not +impose any additional restrictions on who or what can access the +files, deferring to the standard user/group/other permissions, +capabilities, SE Linux type enforcement, and so forth to regulate +access to the files. eCryptfs maintains no pedigree regarding how the +FEK found its way to the inode, so it has no way of knowing that any +particular UID should or should not be able to open the file, nor +should eCryptfs do such a thing. +</p> + +<p> +Having eCryptfs impose additional access control onto the decrypted +file contents in a trusted host environment would provide no +additional security while introducing unintended usability issues. For +instance, a user may wish to share his decrypted files with certain +other users on the system without having to share his key with them or +add their keys to a set of keys wrapping the inode's FEK. Users expect +to be able to accomplish such a task via users, groups, capabilities, +and types, and eCryptfs defers access control decisions on trusted +host environments to these existing access control mechanisms. +</p> + +<a name="initcipher"> + +<p><h3>Q. "<code>Unable to allocate crypto cipher with name +[---]; rc = [-2]</code>"</h3></p> + +<p> +Make sure that you have enabled the kernel crypto API and that you +have built the ciphers, hashes, and chaining modes that you wish to +use. This will usually be md5, aes, cbc, and ecb. Also, make sure that +the requested key size is valid for your cipher. +</p> + +<a name="baddir"> + +<p><h3>Q. "<code>Error mounting eCryptfs; rc = [-2]; strerr = [No +such file or directory]</code>"</h3></p> + +<p> +Make sure that both the source and destination directories that you +provide to the mount command exist. +</p> + +<a name="einval"> + +<p><h3>Q. "<code>Error mounting eCryptfs; rc = [-22]; strerr = +[Invalid argument]</code>"</a></h3></p> + +<p> +Check your system log for the real problem. +</p> + +<a name="keyproblem"> + +<p><h3>Q. "<code>ecryptfs_parse_options: Could not find key with +description: [deadbeaf...]"</code></h3></p> + +<p> +If the mount fails and the message "<code>ecryptfs_parse_options: +Could not find key with description: [deadbeaf...]"</code> is in +your system logs, then there was a problem inserting your mount key +into your kernel <i>user session</i> keyring. +</p> + +<p> +After a mount attempt, run <code>keyctl_show</code>. You should see +something like this: +</p> + +<pre> +# keyctl show +Session Keyring + -3 lswrv---------- 0 0 keyring: _uid_ses.0 + 2 lswrv---------- 0 0 \_ keyring: _uid.0 +892244932 lswrv---------- 0 0 \_ user: deadbeef... +</pre> + +<p> +Where <code>deadbeef</code> is the signature that corresponds with +your key. If you don't see this, then there is a problem with your +keyring setup. +</p> + +<p> +If you su to root, be sure to initiate the session by using the - +flag. +</p> + +<p> +Finally, try linking your user keyring into your active session +keyring: +</p> + +<pre> +# keyctl link @u @s +</pre> + +<a name="sigsize"> + +<p><h3>Q. "<code>ecryptfs_parse_packet_set: Expected +signature of size [8]; read size [7]</code>"</h3></p> + +<p> +Older versions of eCryptfs shipping in older kernels had a minor bug +where eCryptfs would only write out and read in 7 of the 8 key +signature characters to the metadata of the lower file. This violates +the eCryptfs spec, so newer versions of eCryptfs correct this bug and +refuse to read files that do not conform to the spec. +</p> + +<p> +The current correctly implemented version of eCryptfs cannot read +files created with the early nonconformant and buggy release. If you +have any files created with the earlier version, you will need to boot +with the earlier version of eCryptfs and copy the decrypted files to +secure location (e.g., a loopback mount image protected with +dm-crypt). You will then need to copy the data from the secure +location into an eCryptfs mount using the most recent kernel release. +</p> + +<p> +Note that the Versions of eCryptfs from 2.6.24 and on will be able to +read files created by earlier versions, back through to 2.6.24, as +indicated in the ecryptfs-utils package README file: +</p> + +<p> +<i> +eCryptfs is still in a developmental stage. When you upgrade the +eCryptfs kernel module, it is possible that the eCryptfs file format +has been updated. For this reason you should copy your files to an +unencrypted location and then copy the files back into the new +eCryptfs mount point to migrate the files. File format version 3 and +beyond (in kernel version 2.6.24) is expected to remain readable, +however. +</i> +</p> + +<a name="nothere"> + +<p><h3>Q. My question isn't answered here.</h3></p> + +<p> +Ask a question on <a +href="http://stackexchange.com/search?q=ecryptfs">StackExchange</a>. +File a bug on <a +href="https://bugs.launchpad.net/ecryptfs">Launchpad</a>. +Discuss an issue on the <a +href="http://vger.kernel.org/vger-lists.html#ecryptfs">mailing list</a>. +</p> + +<!-- +<p><h3>Q. </h3></p> + +<p> + +</p> +--> + +</td> +</tr> +</table> + +<br><br><br><br><br><br><br><br><br><br><br><br><br><br> +<br><br><br><br><br><br><br><br><br><br><br><br><br><br> +<br><br><br><br><br><br><br><br><br><br><br><br><br><br> +<br><br><br><br><br><br><br><br><br><br><br><br><br><br> + +</body> +</html> diff --git a/doc/ecryptfs-mount-private.txt b/doc/ecryptfs-mount-private.txt new file mode 100644 index 0000000..bae54b7 --- /dev/null +++ b/doc/ecryptfs-mount-private.txt @@ -0,0 +1,9 @@ +THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA. + +From the graphical desktop, click on: + "Access Your Private Data" + +or + +From the command line, run: + ecryptfs-mount-private diff --git a/doc/ecryptfs-pkcs11-helper-doc.txt b/doc/ecryptfs-pkcs11-helper-doc.txt new file mode 100644 index 0000000..d807833 --- /dev/null +++ b/doc/ecryptfs-pkcs11-helper-doc.txt @@ -0,0 +1,69 @@ +eCryptfs PKCS#11 Key Module + +ABOUT + + eCryptfs PKCS#11 key module enables use of PKCS#11 token private key + with eCryptfs. + + ecryptfsd must be running in order to use the key module. + + The key module expects a private key and certificate on token, both + should have the same value in CKA_ID attribute. + +CONFIGURATION + + Configuration is stored at ~/.ecryptfsrc.pkcs11. + + Attributes: + pkcs11-log-level (Integer, decimal) + Log level of pkcs11-helper, can be from 0-5. + + pkcs11-pin-cache-timeout (Integer, decimal) + Maximum PIN/session cache period in seconds. + -1 is infinite, until provider invalidates session. + + pkcs11-provider + name (String) + Provider unique friendly name. + + library (String) + Provider library to load. + + allow-protected-auth (Boolean) + Enable protected authentication if provider supports the feature. + + cert-private (Boolean) + Provider stores the certificates as private objects. + + private-mask (Integer, hex) + Provider private key mask: + 0 Determine automatically. + 1 Use sign. + 2 Use sign recover. + 4 Use decrypt. + 8 Use unwrap. + + Example: + pkcs11-log-level=5 + pkcs11-provider1,name=myprovider1,library=/usr/lib/pkcs11/myprovider1.so + pkcs11-provider2,name=myprovider2,library=/usr/lib/pkcs11/myprovider2.so + +MOUNT OPTIONS + + key Attributes: + id (String) + PKCS#11 serialized object id, this object id can be + acquired using ecryptfs-manager, the default value of + this field is a list of "DN (serial) [serialized id]". + + x509file (String) + Optional (may be empty) reference to a X.509 PEM file + holding id certificate. It is required if the key is + added when the token is not available. + + Example: + key=pkcs11:id=<serialized-id> + +AUTHORS + Alon Bar-Lev <alon.barlev@gmail.com> + diff --git a/doc/manpage/Makefile.am b/doc/manpage/Makefile.am new file mode 100644 index 0000000..09f6dd2 --- /dev/null +++ b/doc/manpage/Makefile.am @@ -0,0 +1,37 @@ +# Copyright (C) 2006 Trevor Highland <trevor.highland@gmail.com> +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in + +dist_man_MANS = \ + ecryptfs.7 \ + ecryptfs-add-passphrase.1 \ + ecryptfsd.8 \ + ecryptfs-find.1 \ + ecryptfs-generate-tpm-key.1 \ + ecryptfs-insert-wrapped-passphrase-into-keyring.1 \ + ecryptfs-manager.8 \ + ecryptfs-migrate-home.8 \ + ecryptfs-mount-private.1 \ + ecryptfs-recover-private.1 \ + ecryptfs-rewrap-passphrase.1 \ + ecryptfs-rewrite-file.1 \ + ecryptfs-setup-private.1 \ + ecryptfs-setup-swap.1 \ + ecryptfs-stat.1 \ + ecryptfs-umount-private.1 \ + ecryptfs-unwrap-passphrase.1 \ + ecryptfs-verify.1 \ + ecryptfs-wrap-passphrase.1 \ + mount.ecryptfs.8 \ + umount.ecryptfs.8 \ + mount.ecryptfs_private.1 \ + pam_ecryptfs.8 \ + umount.ecryptfs_private.1 diff --git a/doc/manpage/Makefile.in b/doc/manpage/Makefile.in new file mode 100644 index 0000000..20ef4f6 --- /dev/null +++ b/doc/manpage/Makefile.in @@ -0,0 +1,721 @@ +# Makefile.in generated by automake 1.13.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Copyright (C) 2006 Trevor Highland <trevor.highland@gmail.com> +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +subdir = doc/manpage +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(dist_man_MANS) +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ac_pkg_swig.m4 \ + $(top_srcdir)/m4/ac_python_devel.m4 \ + $(top_srcdir)/m4/intltool.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/swig_python.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man1dir = $(mandir)/man1 +am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)" \ + "$(DESTDIR)$(man8dir)" +man7dir = $(mandir)/man7 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALL_LINGUAS = @ALL_LINGUAS@ +AMTAR = @AMTAR@ +AM_CPPFLAGS = @AM_CPPFLAGS@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CATALOGS = @CATALOGS@ +CATOBJEXT = @CATOBJEXT@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DATADIRNAME = @DATADIRNAME@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +DVIPS = @DVIPS@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GETTEXT_PACKAGE = @GETTEXT_PACKAGE@ +GMOFILES = @GMOFILES@ +GMSGFMT = @GMSGFMT@ +GPGME_CFLAGS = @GPGME_CFLAGS@ +GPGME_LIBS = @GPGME_LIBS@ +GREP = @GREP@ +GTK_CFLAGS = @GTK_CFLAGS@ +GTK_LIBS = @GTK_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INSTOBJEXT = @INSTOBJEXT@ +INTLLIBS = @INTLLIBS@ +INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@ +INTLTOOL_MERGE = @INTLTOOL_MERGE@ +INTLTOOL_PERL = @INTLTOOL_PERL@ +INTLTOOL_UPDATE = @INTLTOOL_UPDATE@ +INTLTOOL_V_MERGE = @INTLTOOL_V_MERGE@ +INTLTOOL_V_MERGE_OPTIONS = @INTLTOOL_V_MERGE_OPTIONS@ +INTLTOOL__v_MERGE_ = @INTLTOOL__v_MERGE_@ +INTLTOOL__v_MERGE_0 = @INTLTOOL__v_MERGE_0@ +KEYUTILS_CFLAGS = @KEYUTILS_CFLAGS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +LATEX = @LATEX@ +LATEX2HTML = @LATEX2HTML@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBECRYPTFS_LT_AGE = @LIBECRYPTFS_LT_AGE@ +LIBECRYPTFS_LT_CURRENT = @LIBECRYPTFS_LT_CURRENT@ +LIBECRYPTFS_LT_REVISION = @LIBECRYPTFS_LT_REVISION@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LOCALEDIR = @LOCALEDIR@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGFMT_OPTS = @MSGFMT_OPTS@ +MSGMERGE = @MSGMERGE@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_CFLAGS = @PAM_CFLAGS@ +PAM_LIBS = @PAM_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ +PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POD2MAN = @POD2MAN@ +POFILES = @POFILES@ +POSUB = @POSUB@ +PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@ +PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@ +PS2PDF = @PS2PDF@ +PYTHON = @PYTHON@ +PYTHON_CPPFLAGS = @PYTHON_CPPFLAGS@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_EXTRA_LDFLAGS = @PYTHON_EXTRA_LDFLAGS@ +PYTHON_EXTRA_LIBS = @PYTHON_EXTRA_LIBS@ +PYTHON_LDFLAGS = @PYTHON_LDFLAGS@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_SITE_PKG = @PYTHON_SITE_PKG@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +SWIG = @SWIG@ +SWIG_LIB = @SWIG_LIB@ +SWIG_PYTHON_CPPFLAGS = @SWIG_PYTHON_CPPFLAGS@ +SWIG_PYTHON_OPT = @SWIG_PYTHON_OPT@ +TAR = @TAR@ +TSPI_CFLAGS = @TSPI_CFLAGS@ +TSPI_LIBS = @TSPI_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +ecryptfskeymoddir = @ecryptfskeymoddir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +intltool__v_merge_options_ = @intltool__v_merge_options_@ +intltool__v_merge_options_0 = @intltool__v_merge_options_0@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pamdir = @pamdir@ +pamlibdir = @pamlibdir@ +pdfdir = @pdfdir@ +pkgconfigdir = @pkgconfigdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +rootsbindir = @rootsbindir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +dist_man_MANS = \ + ecryptfs.7 \ + ecryptfs-add-passphrase.1 \ + ecryptfsd.8 \ + ecryptfs-find.1 \ + ecryptfs-generate-tpm-key.1 \ + ecryptfs-insert-wrapped-passphrase-into-keyring.1 \ + ecryptfs-manager.8 \ + ecryptfs-migrate-home.8 \ + ecryptfs-mount-private.1 \ + ecryptfs-recover-private.1 \ + ecryptfs-rewrap-passphrase.1 \ + ecryptfs-rewrite-file.1 \ + ecryptfs-setup-private.1 \ + ecryptfs-setup-swap.1 \ + ecryptfs-stat.1 \ + ecryptfs-umount-private.1 \ + ecryptfs-unwrap-passphrase.1 \ + ecryptfs-verify.1 \ + ecryptfs-wrap-passphrase.1 \ + mount.ecryptfs.8 \ + umount.ecryptfs.8 \ + mount.ecryptfs_private.1 \ + pam_ecryptfs.8 \ + umount.ecryptfs_private.1 + +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/manpage/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign doc/manpage/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man1: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man1dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.1[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ + done; } + +uninstall-man1: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man1dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.1[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) +install-man7: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man7dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.7[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \ + done; } + +uninstall-man7: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man7dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.7[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir) +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(MANS) +installdirs: + for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man1 install-man7 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man + +uninstall-man: uninstall-man1 uninstall-man7 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man1 install-man7 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-man uninstall-man1 uninstall-man7 \ + uninstall-man8 + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/manpage/ecryptfs-add-passphrase.1 b/doc/manpage/ecryptfs-add-passphrase.1 new file mode 100644 index 0000000..011d839 --- /dev/null +++ b/doc/manpage/ecryptfs-add-passphrase.1 @@ -0,0 +1,31 @@ +.TH ecryptfs-add-passphrase 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-add-passphrase \- add an eCryptfs mount passphrase to the kernel keyring. + +.SH SYNOPSIS +\fBecryptfs-add-passphrase\fP [\-\-fnek] + +printf "%s" "passphrase" | \fBecryptfs-add-passphrase\fP [\-\-fnek] - + +.SH DESCRIPTION +\fBecryptfs-add-passphrase\fP is a utility to manually add a passphrase to the kernel keyring. + +If the \-\-fnek option is specified, the filename encryption key associated with the input passphrase will also be added to the keyring. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBkeyctl\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP + +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-find.1 b/doc/manpage/ecryptfs-find.1 new file mode 100644 index 0000000..cf6c9f8 --- /dev/null +++ b/doc/manpage/ecryptfs-find.1 @@ -0,0 +1,25 @@ +.TH ecryptfs-find 1 2012-01-24 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-find \- use inode numbers to match encrypted/decrypted filenames + +.SH SYNOPSIS +\fBecryptfs-find\fP cleartext-filename +\fBecryptfs-find\fP ECRYPTFS_FNEK_ENCRYPTED.fwBGx18a.UcYl18CF7VKLMSDuEadV + +.SH DESCRIPTION +This program will attempt to match encrypted filenames to their decrypted counterpart, and attempt to match decrypted filenames to their encrypted counterpart. + +Notes: + - the eCryptfs filesystem must be mounted in order to work + - it uses \fBls\fP(1) in order to determine the inode + - it uses \fBfind\fP(1) in order to locate the inode + +.SH SEE ALSO +\fBfind\fP(1), \fBls\fP(1) + +\fIhttp://ecryptfs.org/\fP + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-generate-tpm-key.1 b/doc/manpage/ecryptfs-generate-tpm-key.1 new file mode 100644 index 0000000..72ba51f --- /dev/null +++ b/doc/manpage/ecryptfs-generate-tpm-key.1 @@ -0,0 +1,29 @@ +.TH ecryptfs-generate-tpm-key 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-generate-tpm-key \- generate an eCryptfs key for TPM hardware. + +.SH SYNOPSIS +\fBecryptfs-generate-tpm-key \-p PCR \fP [\-p PCR]... + +.SH DESCRIPTION +\fBecryptfs-generate-tpm-key\fP is a utility to generate a sealing (storage) key bound to a specified set of PCRs values in the current TPM's PCR's. + +.SH EXAMPLE +ecryptfs-generate-tpm-key \-p 0 \-p 2 \-p 3 + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-insert-wrapped-passphrase-into-keyring.1 b/doc/manpage/ecryptfs-insert-wrapped-passphrase-into-keyring.1 new file mode 100644 index 0000000..21e0993 --- /dev/null +++ b/doc/manpage/ecryptfs-insert-wrapped-passphrase-into-keyring.1 @@ -0,0 +1,28 @@ +.TH ecryptfs-insert-wrapped-passphrase-into-keyring 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-insert-wrapped-passphrase-into-keyring \- unwrap a wrapped passphrase from file and insert into the kernel keyring. + +.SH SYNOPSIS +\fBecryptfs-insert-wrapped-passphrase-into-keyring [file]\fP + +printf "%s" "wrapping passphrase" | \fBecryptfs-insert-wrapped-passphrase-into-keyring [file] -\fP + +.SH DESCRIPTION +\fBecryptfs-insert-wrapped-passphrase-into-keyring\fP is a utility to manually unwrap a passphrase from a file, and insert the unwrapped passphrase into the kernel keyring. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBkeyctl\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-manager.8 b/doc/manpage/ecryptfs-manager.8 new file mode 100644 index 0000000..d2fc361 --- /dev/null +++ b/doc/manpage/ecryptfs-manager.8 @@ -0,0 +1,25 @@ +.TH ecryptfs\-manager 8 "May 2007" ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-manager \- eCryptfs key manager. + +.SH DESCRIPTION +\fBecryptfs-manager\fP is an application that manages eCryptfs objects such as keys. + +You can use \fBecryptfs-manager\fP to ask key modules to generate new keys for you, for instance. + +.SH "SEE ALSO" +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfsd\fP(8), \fBmount.ecryptfs\fP(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by William Lima <wlima.amadeus@gmail.com> for the Ubuntu system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-migrate-home.8 b/doc/manpage/ecryptfs-migrate-home.8 new file mode 100644 index 0000000..d118a14 --- /dev/null +++ b/doc/manpage/ecryptfs-migrate-home.8 @@ -0,0 +1,40 @@ +.TH ecryptfs-migrate-home 8 2012-01-24 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-migrate-home \- migrate a user's home to directory to an encrypted home setup + +.SH SYNOPSIS +\fBecryptfs-migrate-home\fP [-u|--user USER] + +.SH OPTIONS +.TP +.B -u, --user USER +Migrate USER's home directory to an encrypted home directory + +.SH DESCRIPTION +\fBWARNING\fP: Make a complete backup copy of the non-encrypted data to another system or external media. This script is dangerous and in case of an error, could result in data lost, or lock USER out of the system! + +This program must be executed by root. + +This program will attempt to migrate a user's home directory to an encrypted home directory. + +This program requires free disk space 2.5x the current size of the home directory to be migrated. Once successful, you can recover most of this space by deleting the cleartext directory. + +The USER must be logged out of all sessions in order to perform the migration, and have no open files according to \fBlsof\fP(1). + +Once the migration has completed, the USER must login immediately, \fbBEFORE THE NEXT REBOOT\fP in order to complete the migration. + +After logging in, if USER can read and write files in their home directory successfully, then the migration has completed successfully and can remove the cleartext backup in \fI/home/\fP. + +After a successful migration, the USER really must run \fBecryptfs-unwrap-passphrase\fP(1) or \fBzescrow\fP(1) and record their randomly generated mount passphrase. + +If swap is not already encrypted, it is highly recommended that your administrator setup encrypted swap using \fBecryptfs-setup-swap\fP(1). + +.SH SEE ALSO +\fBecryptfs-unwrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBecryptfs-setup-swap\fP(1), \fBlsof\fP(1), \fBrsync\fP(1), \fBzescrow\fP(1) + +\fIhttp://ecryptfs.org/\fP + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-mount-private.1 b/doc/manpage/ecryptfs-mount-private.1 new file mode 100644 index 0000000..ec4758f --- /dev/null +++ b/doc/manpage/ecryptfs-mount-private.1 @@ -0,0 +1,37 @@ +.TH ecryptfs-mount-private 1 2008-11-13 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-mount-private \- interactive eCryptfs private mount wrapper script. + +.SH SYNOPSIS +\fBecryptfs-mount-private\fP + +.SH DESCRIPTION +\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary. + +.SH FILES +\fI~/.Private\fP - underlying directory containing encrypted data + +\fI~/Private\fP - mountpoint containing decrypted data (when mounted) + +\fI~/.ecryptfs/Private.sig\fP - file containing signature of mountpoint passphrase + +\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the wrapped passphrase + +\fI~/.ecryptfs/wrapping-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase + +.SH SEE ALSO +.PD 0 +.TP +\fBmount.ecryptfs_private\fP(1), \fBecryptfs-umount-private\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the \fBecryptfs-mount-private\fP utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-recover-private.1 b/doc/manpage/ecryptfs-recover-private.1 new file mode 100644 index 0000000..a51bf99 --- /dev/null +++ b/doc/manpage/ecryptfs-recover-private.1 @@ -0,0 +1,33 @@ +.TH ecryptfs-recover-private 1 2010-12-17 ecryptfs-utils "eCryptfs" +.SH NAME +\fBecryptfs-recover-private\fP \- find and mount any encrypted private directories + +.SH SYNOPSIS +\fBecryptfs-recover-private\fP [--rw] [encrypted private dir] + +.SH DESCRIPTION +This utility is intended to help eCryptfs recover data from their encrypted home or encrypted private partitions. It is useful to run this from a LiveISO or a recovery image. It must run under \fBsudo\fP(8) or with root permission, in order to search the filesystem and perform the mounts. + +The program can take a target encrypted directory on the command line. If unspecified, the utility will search the entire system looking for encrypted private directories, as configured by \fBecryptfs-setup-private\fP(1). + +If an encrypted directory and a \fIwrapped-passphrase\fP file are found, the user is prompted for the login (wrapping) passphrase, the keys are inserted into the keyring, and the data is decrypted and mounted. + +If no \fIwrapped-passphrase\fP file is found, the user will be prompted for their mount passphrase. This passphrase is typically 32 characters of [0-9a-f]. All users are prompted to urgently record this randomly generated passphrase when they first setup their encrypted private directory. + +The destination mount of the decrypted data is a temporary directory, in the form of \fI/tmp/ecryptfs.XXXXXXXX\fP. + +By default, the mount will be read-only. To mount with read and write permission, add the --rw parameter. + +.SH SEE ALSO +\fBecryptfs-setup-private\fP(1), \fBsudo\fP(8) + +\fIhttp://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-rewrap-passphrase.1 b/doc/manpage/ecryptfs-rewrap-passphrase.1 new file mode 100644 index 0000000..9005afb --- /dev/null +++ b/doc/manpage/ecryptfs-rewrap-passphrase.1 @@ -0,0 +1,28 @@ +.TH ecryptfs-rewrap-passphrase 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-rewrap-passphrase \- unwrap an eCryptfs wrapped passphrase, rewrap it with a new passphrase, and write it back to file. + +.SH SYNOPSIS +\fBecryptfs-rewrap-passphrase [file]\fP + +printf "%s\\n%s" "old wrapping passphrase" "new wrapping passphrase" | \fBecryptfs-rewrap-passphrase [file] -\fP + +.SH DESCRIPTION +\fBecryptfs-rewrap-passphrase\fP is a utility to change the wrapping passphrase on a wrapped passphrase file. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-unwrap-passphrase\fP(1), \fBecryptfs-wrap-passphrase\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-rewrite-file.1 b/doc/manpage/ecryptfs-rewrite-file.1 new file mode 100644 index 0000000..0b9ce81 --- /dev/null +++ b/doc/manpage/ecryptfs-rewrite-file.1 @@ -0,0 +1,33 @@ +.TH ecryptfs-rewrite-file 1 2009-03-20 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-rewrite-file \- force a file to be rewritten (reencrypted) in the lower filesystem + +.SH SYNOPSIS +\fBecryptfs-rewrite-file [file1] [file2] [file3] ...\fP + +.SH DESCRIPTION +This script takes one or more files/directories/symlinks as arguments, moves each of them to a temporary file, and then moves them back to the original name. This causes the file to be rewritten (and reencrypted) in the lower filesystem. + +This script may be combined with \fBfind\fP(1) and \fBxargs\fP(1) to rewrite an entire eCryptfs mountpoint, unmount, and sync: + + find . -xdev -print0 | xargs -r -0 /usr/bin/ecryptfs-rewrite-file + ecryptfs-umount-private + sync + +It is advised that this script is executed in runlevel 1 or 3, to avoid simultanteous writes and race conditions with targeted files. + +\fBUSING THIS SCRIPT WHILE GNOME, KDE, OR OTHER APPLICATIONS ARE RUNNING MAY CAUSE DATA LOSS.\fP + +.SH SEE ALSO +.PD 0 +.TP +\fBfind\fP(1), \fBxargs\fP(1), \fBecryptfs-umount-private\fP(1), \fBsync\fP(1) + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-setup-private.1 b/doc/manpage/ecryptfs-setup-private.1 new file mode 100644 index 0000000..7d20961 --- /dev/null +++ b/doc/manpage/ecryptfs-setup-private.1 @@ -0,0 +1,98 @@ +.TH ecryptfs-setup-private 1 2008-11-17 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-setup-private \- setup an eCryptfs private directory. + +.SH SYNOPSIS +.BI "ecryptfs-setup-private [\-f|\-\-force] [\-w|\-\-wrapping] [\-b|\-\-bootstrap] [\-n|\-\-no-fnek] [\-\-nopwcheck] [\-u|\-\-username USER] [\-l|\-\-loginpass LOGINPASS] [\-m|\-\-mountpass MOUNTPASS]" + +.SH OPTIONS +Options available for the \fBecryptfs-setup-private\fP command: +.TP +.B \-f, \-\-force +Force overwriting of an existing setup +.TP +.B \-w, \-\-wrapping +Use an independent wrapping passphrase, different from the login passphrase +.TP +.B \-u, \-\-username USER +User to setup, default is current user if omitted +.TP +.B \-l, \-\-loginpass LOGINPASS +System passphrase for USER, used to wrap MOUNTPASS, will interactively prompt if omitted +.TP +.B \-m, \-\-mountpass MOUNTPASS +Passphrase for mounting the ecryptfs directory, default is 16 bytes from /dev/urandom if omitted +.TP +.B \-b, \-\-bootstrap +Bootstrap a new user's entire home directory +.TP +.B \-\-undo +Display instructions on how to undo an encrypted private setup +.TP +.B \-n, \-\-no\-fnek +Do not encrypt filenames; otherwise, filenames will be encrypted on systems which support filename encryption +.TP +.B \-\-nopwcheck +Do not check the validity of the specified login password (useful for LDAP user accounts) +.TP +.B \-\-noautomount +Setup this user such that the encrypted private directory is not automatically mounted on login +.TP +.B \-\-noautoumount +Setup this user such that the encrypted private directory is not automatically unmounted at logout + + +.SH DESCRIPTION +\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user. + +Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if necessary. Any of the parameters may be: + + 1) exported as environment variables + 2) specified on the command line + 3) left empty and interactively prompted + +\fBThe user SHOULD ABSOLUTELY RECORD THE MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION. If the mount passphase file is lost, or the mount passphrase is forgotten, THERE IS NO WAY TO RECOVER THE ENCRYPTED DATA.\fP + +Using the values of USER, MOUNTPASS, and LOGINPASS, \fBecryptfs-setup-private\fP will: + - Create ~/.Private (permission 700) + - Create ~/Private (permission 500) + - Backup any existing wrapped passphrases + - Use LOGINPASS to wrap and encrypt MOUNTPASS + - Write to ~/.ecryptfs/wrapped-passphrase + - Add the passphrase to the current keyring + - Write the passphrase signature to ~/.ecryptfs/Private.sig + - Test the cryptographic mount with a few reads and writes + +The system administrator can add the pam_ecryptfs.so module to the PAM stack which will automatically use the login passphrase to unwrap the mount passphrase, add the passphrase to the user's kernel keyring, and automatically perform the mount. See \fPpam_ecryptfs\fP(8). + +.SH FILES +\fI~/.ecryptfs/auto-mount\fP + +\fI~/.Private\fP - underlying directory containing encrypted data + +\fI~/Private\fP - mountpoint containing decrypted data (when mounted) + +\fI~/.ecryptfs/Private.sig\fP - file containing signature of mountpoint passphrase + +\fI~/.ecryptfs/Private.mnt\fP - file containing path of the private directory mountpoint + +\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the mount passphrase, wrapped with the login passphrase + +\fI~/.ecryptfs/wrapping-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs-rewrap-passphrase\fP(1), \fBmount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8), \fBumount.ecryptfs_private\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the \fBecryptfs-setup-private\fP utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-setup-swap.1 b/doc/manpage/ecryptfs-setup-swap.1 new file mode 100644 index 0000000..7104436 --- /dev/null +++ b/doc/manpage/ecryptfs-setup-swap.1 @@ -0,0 +1,29 @@ +.TH ecryptfs-setup-swap 1 2009-08-17 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-setup-swap \- ensure that any swap space is encrypted + +.SH SYNOPSIS +\fBecryptfs-setup-swap\fP [-f|--force] + +.SH DESCRIPTION +This script will detect existing swap partitions or swap files, and encrypt them, using cryptsetup. + +Encrypted swap is essential to securing any system using eCryptfs, since decrypted file contents will exist in the system's memory, which may be swapped to disk at any time. If the system swap space is not also encrypted, it is possible that decrypted files could be written to disk in clear text. + +Note that most Linux distributions do not yet support resuming from an encrypted swap space, and thus hibernate/resume will not work. Suspend/resume is unaffected. + +Upon running the utility, the user will be informed of the hibernate/resume break, and asked to confirm the behavior. The -f|--force option can be used to bypass this interactive prompt. + +.SH SEE ALSO +.PD 0 +.TP +\fBcryptsetup\fP(8) + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-stat.1 b/doc/manpage/ecryptfs-stat.1 new file mode 100644 index 0000000..458a3fb --- /dev/null +++ b/doc/manpage/ecryptfs-stat.1 @@ -0,0 +1,17 @@ +.TH ecryptfs-stat 1 2009-08-17 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-stat \- Present statistics on encrypted eCryptfs file attributes + +.SH SYNOPSIS +\fBecryptfs-stat\fP filename + +.SH DESCRIPTION +This program will present statistics on encrypted eCryptfs file and its attributes. + +.SH SEE ALSO +\fIhttp://ecryptfs.org/\fP + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-umount-private.1 b/doc/manpage/ecryptfs-umount-private.1 new file mode 100644 index 0000000..8c641bc --- /dev/null +++ b/doc/manpage/ecryptfs-umount-private.1 @@ -0,0 +1,28 @@ +.TH ecryptfs-umount-private 1 2008-11-03 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-umount-private \- eCryptfs private unmount wrapper script. + +.SH SYNOPSIS +\fBecryptfs-umount-private\fP + +.SH DESCRIPTION +\fBecryptfs-umount-private\fP is a wrapper script for the \fBumount.ecryptfs_private\fP utility. + +It will unmount the user's private directory and clear any associated keys from the user's kernel keyring. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs-mount-private\fP(1), \fBumount.ecryptfs_private\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the \fBecryptfs-umount-private\fP utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-unwrap-passphrase.1 b/doc/manpage/ecryptfs-unwrap-passphrase.1 new file mode 100644 index 0000000..d7d5d4a --- /dev/null +++ b/doc/manpage/ecryptfs-unwrap-passphrase.1 @@ -0,0 +1,28 @@ +.TH ecryptfs-unwrap-passphrase 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-unwrap-passphrase \- unwrap an eCryptfs mount passphrase from file. + +.SH SYNOPSIS +\fBecryptfs-unwrap-passphrase [file]\fP + +printf "%s" "wrapping passphrase" | \fBecryptfs-unwrap-passphrase [file] -\fP + +.SH DESCRIPTION +\fBecryptfs-unwrap-passphrase\fP is a utility to unwrap an eCryptfs mount passphrase from file, using a specified wrapping passphrase, and display the decrypted result on standard out. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-wrap-passphrase\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-verify.1 b/doc/manpage/ecryptfs-verify.1 new file mode 100644 index 0000000..7feddd9 --- /dev/null +++ b/doc/manpage/ecryptfs-verify.1 @@ -0,0 +1,37 @@ +.TH ecryptfs-verify 1 2012-01-24 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-verify \- validate an eCryptfs encrypted home or encrypted private configuration + +.SH SYNOPSIS +\fBecryptfs-verify\fP [-h|--home] [-p|--private] [-e|--filenames-encrypted] [-n|--filenames-not-encrypted] [-u|--user USER] [--help] + +.SH OPTIONS +.TP +.B -h, --home +True if HOME is correctly configured for encryption, False otherwise +.TP +.B -p, --private +True if a non-HOME directory is correctly configured for encryption, False otherwise +.TP +.B -e, --filenames-encrypted +True if filenames are set for encryption, False otherwise +.TP +.B -n, --filenames-not-encrypted +True if filenames are not encrypted, False otherwise +.TP +.B -u, --user USER +By default, the current user's configuration is checked, override with this option +.TP +.B --help +This usage information + +.SH DESCRIPTION +Note that options are additive. ALL checks must pass in order for this program to exit 0. Any failing check will cause this program to exit non-zero. + +.SH SEE ALSO +\fIhttp://ecryptfs.org/\fP + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs-wrap-passphrase.1 b/doc/manpage/ecryptfs-wrap-passphrase.1 new file mode 100644 index 0000000..1040e3b --- /dev/null +++ b/doc/manpage/ecryptfs-wrap-passphrase.1 @@ -0,0 +1,28 @@ +.TH ecryptfs-wrap-passphrase 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfs-wrap-passphrase \- wrap an eCryptfs mount passphrase. + +.SH SYNOPSIS +\fBecryptfs-wrap-passphrase [file]\fP + +printf "%s\\n%s" "passphrase to wrap" "wrapping passphrase" | \fBecryptfs-wrap-passphrase [file] -\fP + +.SH DESCRIPTION +\fBecryptfs-wrap-passphrase\fP is a utility to wrap an eCryptfs mount passphrase, using a specified wrapping passphrase, and write the encrypted output to file. + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-unwrap-passphrase\fP(1) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfs.7 b/doc/manpage/ecryptfs.7 new file mode 100644 index 0000000..4f64fe4 --- /dev/null +++ b/doc/manpage/ecryptfs.7 @@ -0,0 +1,130 @@ +.TH ecryptfs 7 2009-03-24 ecryptfs-utils "eCryptfs" +.SH NAME +eCryptfs \- an enterprise-class cryptographic filesystem for linux + +.SH SYNOPSIS +.BI "mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]" + +.SH DESCRIPTION +eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. It is derived from Erez Zadok's Cryptfs, implemented through the FiST framework for generating stacked filesystems. eCryptfs extends Cryptfs to provide advanced key management and policy features. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key, and there is no need to keep track of any additional information aside from what is already in the encrypted file itself. Think of eCryptfs as a sort of "gnupgfs." + +.SH OPTIONS + +KERNEL OPTIONS + + Parameters that apply to the eCryptfs kernel module. + +.TP +.B ecryptfs_sig=(fekek_sig) +Specify the signature of the mount wide authentication token. The authentication token must be in the kernel keyring before the mount is performed. ecryptfs-manager or the eCryptfs mount helper can be used to construct the authentication token and add it to the keyring prior to mounting. +.TP +.B ecryptfs_fnek_sig=(fnek_sig) +Specify the signature of the mount wide authentication token used for filename crypto. The authentication must be in the kernel keyring before mounting. +.TP +.B ecryptfs_cipher=(cipher) +Specify the symmetric cipher to be used on a per file basis +.TP +.B ecryptfs_key_bytes=(key_bytes) +Specify the keysize to be used with the selected cipher. If the cipher only has one keysize the keysize does not need to be specified. +.TP +.B ecryptfs_passthrough +Allows for non-eCryptfs files to be read and written from within an eCryptfs mount. This option is turned off by default. +.TP +.B no_sig_cache +Do not check the mount key signature against the values in the user's ~/.ecryptfs/sig-cache.txt file. This is useful for such things as non-interactive setup scripts, so that the mount helper does not stop and prompt the user in the event that the key sig is not in the cache. +.TP +.B ecryptfs_encrypted_view +This option provides a unified encrypted file format of the eCryptfs files in the lower mount point. Currently, it is only useful if the lower mount point contains files with the metadata stored in the extended attribute. Upon a file read in the upper mount point, the encrypted version of the file will be presented with the metadata in the file header instead of the xattr. Files cannot be opened for writing when this option is enabled. +.TP +.B ecryptfs_xattr +Store the metadata in the extended attribute of the lower files rather than the header region of the lower files. +.TP +.B verbose +Log ecryptfs information to /var/log/messages. Do not run eCryptfs in verbose-mode unless you are doing so for the sole purpose of development, since secret values will be written out to the system log in that case. +.TP + +MOUNT HELPER OPTIONS + +Parameters that apply to the eCryptfs mount helper. + +.TP +.B key=(keytype):[KEY MODULE OPTIONS] +Specify the type of key to be used when mounting eCryptfs. +.TP +.B ecryptfs_enable_filename_crypto=(y/n) +Specify whether filename encryption should be enabled. If not, the mount helper will not prompt the user for the filename encryption key signature (default). +.TP +.B verbosity=0/1 +If verbosity=1, the mount helper will ask you for missing values (default). Otherwise, if verbosity=0, it will not ask for missing values and will fail if required values are omitted. +.TP + +KEY MODULE OPTIONS + +Parameters that apply to individual key modules have the alias for the key module in the prefix of the parameter name. Key modules are pluggable, and which key modules are available on any given system is dependent upon whatever happens to be installed in /usr/lib*/ecryptfs/. + +.TP +.B passphrase_passwd=(passphrase) +The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. +.TP +.B passphrase_passwd_file=(filename) +The password should be specified in a file with passwd=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal usb key. +.TP +.B passphrase_passwd_fd=(file descriptor) +The password is specified through the specified file descriptor. +.TP +.B passphrase_salt=(hex value) +The salt should be specified as a 16 digit hex value. +.TP +.B openssl_keyfile=(filename) +The filename should be the filename of a file containing an RSA SSL key. +.TP +.B openssl_passwd_file=(filename) +The password should be specified in a file with openssl_passwd=(openssl-password). It is highly recommended that the file be stored on a secure medium such as a personal usb key. +.TP +.B openssl_passwd_fd=(file descriptor) +The password is specified through the specified file descriptor. +.TP +.B openssl_passwd=(password) +The password can be specified on the command line. Since the password is +visible in the process list, it is highly recommended to use this option +only for testing purposes. + +.SH EXAMPLE + +.PP + +The following command will layover mount eCryptfs on /secret with a passphrase contained in a file stored on secure media mounted at /mnt/usb/. + +\fBmount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret\fP + +.PP + +Where file.txt contains the contents +\fB"passphrase_passwd=[passphrase]"\fP. + +.SH SEE ALSO +.PD 0 +.TP +\fBmount\fP(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH NOTES +Do not run eCryptfs in verbose-mode unless you are doing so for the sole purpose of development, since secret values will be written out to the system log in that case. Make certain that your eCryptfs mount covers all locations where your applications may write sensitive data. In addition, use dm-crypt to encrypt your swap space with a random key on boot, or see \fBecryptfs-setup-swap\fP(1). + +Passphrases have a maximum length of 64 characters. + +.SH BUGS +Please post bug reports to the eCryptfs bug tracker on Launchpad.net: https://bugs.launchpad.net/ecryptfs/+filebug. + +For kernel bugs, please follow the procedure detailed in Documentation/oops-tracing.txt to help us figure out what is happening. + +.SH AUTHOR +This manpage was (re-)written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/ecryptfsd.8 b/doc/manpage/ecryptfsd.8 new file mode 100644 index 0000000..d6cf5c3 --- /dev/null +++ b/doc/manpage/ecryptfsd.8 @@ -0,0 +1,25 @@ +.TH ecryptfsd 8 "May 2007" ecryptfs-utils "eCryptfs" +.SH NAME +ecryptfsd \- user\-space eCryptfs daemon. + +.SH DESCRIPTION +\fBecryptfsd\fP is a userspace daemon that runs as the user performing file operations under the eCryptfs mount point. It services public key requests from the eCryptfs kernel module; these requests are sent via /dev/ecryptfs on file open events. ecryptfsd only needs to be run when a mount is done with a public key module. + +The daemon can be started simply by running \fIecryptfsd\fP. ecryptfsd will register itself with the kernel as the daemon that should service all eCryptfs filesystem requests done under the context of the user who runs the daemon. + +.SH "SEE ALSO" +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-manager\fP(8), \fBmount.ecryptfs\fP(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by William Lima <wlima.amadeus@gmail.com> for the Ubuntu system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/mount.ecryptfs.8 b/doc/manpage/mount.ecryptfs.8 new file mode 100644 index 0000000..08d6abb --- /dev/null +++ b/doc/manpage/mount.ecryptfs.8 @@ -0,0 +1,28 @@ +.TH mount.ecryptfs 8 "May 2007" ecryptfs-utils "eCryptfs" +.SH NAME +mount.ecryptfs \- eCryptfs mount helper. + +.SH SYNOPSIS +\fBmount \-t ecryptfs\fP [\fIlower\ directory\fP] [\fIecryptfs\ mount\ point\fP] + +.SH DESCRIPTION +\fBmount.ecryptfs\fP is eCryptfs mount helper. The mount utility will defer to the mount helper to perform various configuration tasks; use the -i option to bypass the mount helper if you would rather manually specify your mount options. To mount eCryptfs, specify the lower directory (i.e., /root/crypt) for the encrypted files and the eCryptfs mountpoint (i.e., /mnt/crypt) for the decrypted view of the files: + +\fImount \-t ecryptfs /root/crypt /mnt/crypt\fP + +.SH "SEE ALSO" +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfsd\fP(8), \fBecryptfs-manager\fP(8), \fBmount\fP(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by William Lima <wlima.amadeus@gmail.com> for the Ubuntu system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/mount.ecryptfs_private.1 b/doc/manpage/mount.ecryptfs_private.1 new file mode 100644 index 0000000..c3510fb --- /dev/null +++ b/doc/manpage/mount.ecryptfs_private.1 @@ -0,0 +1,65 @@ +.TH mount.ecryptfs_private 1 2008-07-21 ecryptfs-utils "eCryptfs" +.SH NAME +mount.ecryptfs_private \- eCryptfs private mount helper. + +.SH SYNOPSIS +\fBmount.ecryptfs_private [ALIAS]\fP + +\fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys. For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead! + +.SH DESCRIPTION +\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users to cryptographically mount a private directory, ~/Private by default. + +This program optionally takes one argument, ALIAS. If ALIAS is omitted, the program will default to using "Private" using: + - $HOME/.Private as the SOURCE + - $HOME/Private as the DESTINATION + - $HOME/.ecryptfs/Private.sig for the key signatures. + +If ALIAS is specified, then the program will look for an \fBfstab\fP(5) style configuration in: + - $HOME/.ecryptfs/ALIAS.conf +and for key signature(s) in: + - $HOME/.ecryptfs/ALIAS.sig + +The mounting will proceed if, and only if: + - the required passphrase is in their kernel keyring, and + - the current user owns both the SOURCE and DESTINATION mount points + - the DESTINATION is not already mounted + +This program will: + - mount SOURCE onto DESTINATION + - as an ecryptfs filesystem + - using the AES cipher + - with a key length of 16 bytes + - using the passphrase whose signature is in ~/.ecryptfs/Private.sig + +The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8). + +The \fBecryptfs-setup-private\fP(1) utility will create the ~/.Private and ~/Private directories, generate a mount passphrase, wrap the passphrase, and write the ~/.ecryptfs/Private.sig. + +The system administrator can add the pam_ecryptfs.so module to the PAM stack which will automatically use the login passphrase to unwrap the mount passphrase, add the passphrase to the user's kernel keyring, and automatically perform the mount. See \fBpam_ecryptfs\fP(8). + +.SH FILES +\fI~/.Private\fP - underlying directory containing encrypted data + +\fI~/Private\fP - mountpoint containing decrypted data (when mounted) + +\fI~/.ecryptfs/Private.sig\fP - file containing signature of mountpoint passphrase + +\fI~/.ecryptfs/wrapped-passphrase\fP - mount passphrase, encrypted with the login passphrase + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8), \fBfstab\fP(5) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the \fBmount.ecryptfs_private\fP utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/pam_ecryptfs.8 b/doc/manpage/pam_ecryptfs.8 new file mode 100644 index 0000000..7f53e1d --- /dev/null +++ b/doc/manpage/pam_ecryptfs.8 @@ -0,0 +1,58 @@ +.TH pam_ecryptfs "8" "2008-07-21" "Linux\-PAM Manual" "Linux\-PAM Manual" +.SH "NAME" +pam_ecryptfs \- PAM module for eCryptfs +.SH "SYNOPSIS" +.HP 12 +\fBpam_ecryptfs.so\fR [unwrap] +.SH "DESCRIPTION" +.PP +pam_ecryptfs is a PAM module that can use the login password to unwrap an ecryptfs mount passphrase stored in ~/.ecryptfs/wrapped-passphrase, and automatically mount a private cryptographic directory. +.SH "OPTIONS" +.PP +.TP 3n +\fBunwrap\fR +Use the login passphrase to unwrap an eCryptfs mount passphrase. +.TP 3n +.SH "MODULE SERVICES PROVIDED" +.PP +The services \fBauth\fR, and \fBsession\fR are supported. +.SH "EXAMPLES" +.PP +To unwrap a mount passphrase and automatically mount a private directory on login, add the following lines to + +\fI/etc/pam.d/common-auth\fR: +.sp +.RS 3n +.nf + auth required pam_ecryptfs.so unwrap +.fi +.RE +.sp +\fI/etc/pam.d/common-session\fR: +.sp +.RS 3n +.nf + session optional pam_ecryptfs.so unwrap +.fi +.RE +.sp + +.SH "SEE ALSO" +.PP +\fBecryptfs\fR(7), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. + diff --git a/doc/manpage/umount.ecryptfs.8 b/doc/manpage/umount.ecryptfs.8 new file mode 100644 index 0000000..9b26db1 --- /dev/null +++ b/doc/manpage/umount.ecryptfs.8 @@ -0,0 +1,23 @@ +.TH umount.ecryptfs 8 2009-08-17 ecryptfs-utils "eCryptfs" +.SH NAME +umount.ecryptfs \- eCryptfs umount helper. + +.SH SYNOPSIS +\fBumount\fP [\fIecryptfs\ mount\ point\fP] + +.SH DESCRIPTION +\fBumount.ecryptfs\fP is an eCryptfs umount helper, that will also unlink keys from the keyring. + +.SH "SEE ALSO" +.PD 0 +.TP +\fBmount.ecryptfs\fP(8), \fBmount\fP(8) + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff --git a/doc/manpage/umount.ecryptfs_private.1 b/doc/manpage/umount.ecryptfs_private.1 new file mode 100644 index 0000000..3c6f79a --- /dev/null +++ b/doc/manpage/umount.ecryptfs_private.1 @@ -0,0 +1,56 @@ +.TH umount.ecryptfs_private 1 "2008-07-21" ecryptfs-utils "eCryptfs" +.SH NAME +umount.ecryptfs_private \- eCryptfs private unmount helper. + +.SH SYNOPSIS +\fBumount.ecryptfs_private\fP [\-f] + +\fBNOTE:\fP This program will \fBnot\fP clear the relevant keys from the user's keyring. For this reason, it is recommended that users use \fBecryptfs-umount-private\fP(1) instead! + +.SH OPTIONS +Options available for the \fBumount.ecryptfs_private\fP command: +.TP +.B \-f +Force the unmount, ignoring the value of the mount counter in \fI/tmp/ecryptfs-USERNAME-Private\fP + +.SH DESCRIPTION +\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users to unmount a cryptographically mounted private directory, ~/Private. + +If, and only if: + - the private mount passphrase is in their kernel keyring, and + - the current user owns both ~/.Private and ~/Private, and + - ~/.Private is currently mounted on ~/Private + - the mount counter is 0 (counter is ignored if \-f option is used) + +This program will: + - unmount ~/Private + +The only setuid operationis in this program are the call to \fBumount\fP and updating \fB/etc/mtab\fP. + +The system administrator can add the pam_ecryptfs.so module to the PAM stack and automatically perform the unmount on logout. See \fBpam_ecryptfs\fP(8). + +.SH FILES +\fI~/.Private\fP - underlying directory containing encrypted data + +\fI~/Private\fP - mountpoint containing decrypted data (when mounted) + +\fI~/.ecryptfs/Private.sig\fP - file containing signature of mountpoint passphrase + +\fI/tmp/ecryptfs-USERNAME-Private\fP - file containing the mount counter, incremented on each mount, decremented on each unmount + +.SH SEE ALSO +.PD 0 +.TP +\fBecryptfs\fP(7), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBmount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8) + +.TP +\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP + +.TP +\fIhttp://ecryptfs.org/\fP +.PD + +.SH AUTHOR +This manpage and the \fBumount.ecryptfs_private\fP utility was written by Dustin Kirkland <kirkland@ubuntu.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. |