Documentationsecuritykeys-ecryptfs.txt

Chinese translated version of Documentationsecuritykeys-ecryptfs.txt

If you have any comment or update to the content, please contact the
original document maintainer directly.  However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help.  Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.

Chinese maintainer: majg <1519014266@qq.com>
---------------------------------------------------------------------
Documentationsecuritykeys-ecryptfs.txt 的中文翻译

如果想评论或更新本文的内容，请直接联系原文档的维护者。如果你使用英文
交流有困难的话，也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题，请联系中文版维护者。

中文版维护者： 马建刚  majg <1519014266@qq.com>
中文版翻译者： 马建刚  majg <1519014266@qq.com>
中文版校译者： 马建刚  majg <1519014266@qq.com>

 

 

以下为正文
---------------------------------------------------------------------
  1   Encrypted keys for the eCryptfs filesystem
   -企业加密文件系统的加密密钥
  2
  3 ECryptfs is a stacked filesystem which transparently encrypts and decrypts each
  4 file using a randomly generated File Encryption Key (FEK).
  -企业文件加密系统是堆叠的文件系统，透明地加密和解密每个文件使用一个随机生成的文件加密密钥（FEK）。
  5
  6 Each FEK is in turn encrypted with a File Encryption Key Encryption Key (FEFEK)
  7 either in kernel space or in user space with a daemon called 'ecryptfsd'.  In
  8 the former case the operation is performed directly by the kernel CryptoAPI
  9 using a key, the FEFEK, derived from a user prompted passphrase;  in the latter
 10 the FEK is encrypted by 'ecryptfsd' with the help of external libraries in order
 11 to support other mechanisms like public key cryptography, PKCS#11 and TPM based
 12 operations.
 -每个FEK依次是加密文件加密密钥加密密钥（FEFEK）
 -无论是在内核空间，或在用户空间与守护进程称为'ecryptfsd“。在
 -在前一种情况下，执行该操作直接由内核的CryptoAPI
 -使用一个键时，提示来自用户的FEFEK密码，在后者的
 -为了借助外部库加密FEK'ecryptfsd'
 -支持其他机制，如公共密钥加密，PKCS＃11和基于TPM的操作。
 13
 14 The data structure defined by eCryptfs to contain information required for the
 15 FEK decryption is called authentication token and, currently, can be stored in a
 16 kernel key of the 'user' type, inserted in the user's session specific keyring
 17 by the userspace utility 'mount.ecryptfs' shipped with the package
 18 'ecryptfs-utils'.
 -企业文件加密系统的定义包含所需要的信息的数据结构
 -FEK解密被称为身份验证令牌，目前，可以存储在一个
 -'用户'型，插在用户的会话特定的钥匙圈的核心关键
 - 由用户空间工具mount.ecryptfs的'附带包'ecryptfs-utils'.
 19
 20 The 'encrypted' key type has been extended with the introduction of the new
 21 format 'ecryptfs' in order to be used in conjunction with the eCryptfs
 22 filesystem.  Encrypted keys of the newly introduced format store an
 23 authentication token in its payload with a FEFEK randomly generated by the
 24 kernel and protected by the parent master key.
 -加密密钥类型已延长与引进新的格式企业文件加密系统'ecryptfs'的文件系统的配合才能使用。
 -新引进的格式存储的加密密钥身份验证令牌，在其有效载荷与FEFEK随机生成的内核和
 -由母公司主密钥保护。
 25
 26 In order to avoid known-plaintext attacks, the datablob obtained through
 27 commands 'keyctl print' or 'keyctl pipe' does not contain the overall
 28 authentication token, which content is well known, but only the FEFEK in
 29 encrypted form.
 -为了避免已知明文攻击，datablob得到的通过命令keyctl的打印'或'KEYCTL管“不包含整体的
 -身份验证令牌，它的内容是众所周知的，但只有FEFEK以加密的形式。
 30
 31 The eCryptfs filesystem may really benefit from using encrypted keys in that the
 32 required key can be securely generated by an Administrator and provided at boot
 33 time after the unsealing of a 'trusted' key in order to perform the mount in a
 34 controlled environment.  Another advantage is that the key is not exposed to
 35 threats of malicious software, because it is available in clear form only at
 36 kernel level.
 -企业文件加密系统的文件系统可能真的使用加密密钥可以安全地生成所需的密钥由管理员在系统启动时
 -提供启封后的“可靠”键，以便执行安装在受控环境中受益。另一个优点是，关键是没有暴露的恶意
 -软件的威胁，因为它是提供清晰的形式，只在内核级。
 37
 38 Usage:
 -用途：
 39    keyctl add encrypted name "new ecryptfs key-type:master-key-name keylen" ring
 40    keyctl add encrypted name "load hex_blob" ring
 41    keyctl update keyid "update key-type:master-key-name"
 42
 43 name:= '<16 hexadecimal characters>'
 44 key-type:= 'trusted' | 'user'
 45 keylen:= 64
 46
 47
 48 Example of encrypted key usage with the eCryptfs filesystem:
-ecryptfs文件系统的加密密钥用法示例：
 49
 50 Create an encrypted key "1000100010001000" of length 64 bytes with format
 51 'ecryptfs' and save it using a previously loaded user key "test":
 52
 53     $ keyctl add encrypted 1000100010001000 "new ecryptfs user:test 64" @u
 54     19184530
 55
 56     $ keyctl print 19184530
 57     ecryptfs user:test 64 490045d4bfe48c99f0d465fbbbb79e7500da954178e2de0697
 58     dd85091f5450a0511219e9f7cd70dcd498038181466f78ac8d4c19504fcc72402bfc41c2
 59     f253a41b7507ccaa4b2b03fff19a69d1cc0b16e71746473f023a95488b6edfd86f7fdd40
 60     9d292e4bacded1258880122dd553a661
 61
 62     $ keyctl pipe 19184530 > ecryptfs.blob
 63
 64 Mount an eCryptfs filesystem using the created encrypted key "1000100010001000"
 65 into the '/secret' directory:
 66
 67     $ mount -i -t ecryptfs -oecryptfs_sig=1000100010001000,\
 68       ecryptfs_cipher=aes,ecryptfs_key_bytes=32 /secret /secret