See Also
Chapter 4. Hardening Your System with Tools and Services
4.10.4. T rust ed and Encrypt ed Keys
Trusted and encrypted keys are variable -le ngth s ymme tric ke ys ge ne rate d by the ke rne l that utilize the ke rne l ke yring s e rvice . The fact that the ke ys ne ve r appe ar in us e r s pace in an une ncrypte d form me ans that the ir inte grity can be ve rifie d, which in turn me ans that the y can be us e d, for e xample , by the e xte nde d ve rification module (EVM) to ve rify and confirm the inte grity of a running s ys te m. Us e r-le ve l programs can only e ve r acce s s the ke ys in the form of e ncrypte d blobs.
Trus te d ke ys ne e d a hardware compone nt: the Trusted Platform Module (TPM) chip, which is us e d to both cre ate and e ncrypt (seal) the ke ys . The TPM s e als the ke ys us ing a 2048-bit RSA ke y calle d the storage root key (SRK).
In addition to that, trus te d ke ys may als o be s e ale d us ing a s pe cific s e t of the TPM's platform configuration register (PCR) value s . The PCR contains a s e t of inte
grity-manage me nt value s that re fle ct the BIOS, bootloade r, and ope rating s ys te m. This me ans that PCR-s e ale d ke ys can only be de crypte d by the TPM on the e xact s ame s ys te m on which the y we re e ncrypte d. Howe ve r, once a PCR-s e ale d trus te d ke y is loade d (adde d to a ke yring), and thus its as s ociate d PCR value s are ve rifie d, it can be update d with ne w (or future ) PCR value s , s o that a ne w ke rne l, for e xample , can be boote d. A s ingle ke y can als o be s ave d as multiple blobs , e ach with diffe re nt PCR value s .
Encrypte d ke ys do not re quire a TPM, as the y us e the ke rne l AES e ncryption, which make s the m fas te r than trus te d ke ys . Encrypte d ke ys are cre ate d us ing ke rne l-ge ne rate d
random numbe rs and e ncrypte d by a master key whe n the y are e xporte d into us e r-s pace blobs . This mas te r ke y can be e ithe r a trus te d ke y or a us e r ke y, which is the ir main dis advantage — if the mas te r ke y is not a trus te d ke y, the e ncrypte d ke y is only as s e cure as the us e r ke y us e d to e ncrypt it.
4.10.4.1. Working with Keys
Prior to any ope rations with ke ys , re le vant ke rne l module s ne e d to be loade d. For trus te d ke ys , it is the t rust ed module , and for e ncrypte d ke ys , it is the encrypt ed-keys module . Us e the following command as the root us e r to load both of the s e module s at once :
~]# modprobe trusted encrypted-keys
Trus te d and e ncrypte d ke ys can be cre ate d, loade d, e xporte d, and update d us ing the keyct l utility. For de taile d information about us ing keyct l, s e e ke yctl(1).
Note
In orde r to us e a TPM (s uch as for cre ating and s e aling trus te d ke ys ), it ne e ds to be e nable d and active . This can be us ually achie ve d through a s e tting in the machine 's BIOS or us ing the tpm_setactive command from the tpm-tools package of utilitie s . Als o, the T ro uSers application ne e ds to be ins talle d (the trousers package ), and the tcsd dae mon, which is a part of the T ro uSers s uite , running to communicate with the TPM.
To cre ate a trus te d ke y us ing a TPM, e xe cute the keyctl command with the following s yntax:
keyctl add trusted name "new keylength [options]" keyring
Us ing the above s yntax, an e xample command can be cons tructe d as follows :
~]$ keyctl add trusted kmk "new 32" @u 642500861
The above e xample cre ate s a trus te d ke y calle d kmk with the le ngth of 32 byte s (256 bits ) and place s it in the us e r ke yring (@u). The ke ys may have a le ngth of 32 to 128 byte s (256 to 1024 bits ). Us e the show s ubcommand to lis t the curre nt s tructure of the ke rne l
ke yrings :
~]$ keyctl show Session Keyring
-3 --alswrv 500 500 keyring: _ses
97833714 --alswrv 500 -1 \_ keyring: _uid.1000 642500861 --alswrv 500 500 \_ trusted: kmk
The print s ubcommand outputs the e ncrypte d ke y to the s tandard output. To e xport the ke y to a us e r-s pace blob, us e the pipe s ubcommand as follows :
~]$ keyctl pipe 642500861 > kmk.blob
To load the trus te d ke y from the us e r-s pace blob, us e the add command again with the blob as an argume nt:
~]$ keyctl add trusted kmk "load `cat kmk.blob`" @u 268728824
The TPM-s e ale d trus te d ke y can the n be e mploye d to cre ate s e cure e ncrypte d ke ys . The following command s yntax is us e d for ge ne rating e ncrypte d ke ys :
~]$ keyctl add encrypted name "new [format] key-type:master-key-name keylength" keyring
Bas e d on the above s yntax, a command for ge ne rating an e ncrypte d ke y us ing the alre ady cre ate d trus te d ke y can be cons tructe d as follows :
~]$ keyctl add encrypted encr-key "new trusted:kmk 32" @u
To cre ate an e ncrypte d ke y on s ys te ms whe re a TPM is not available , us e a random s e que nce of numbe rs to ge ne rate a us e r ke y, which is the n us e d to s e al the actual e ncrypte d ke ys .
~]$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
427069434
The n ge ne rate the e ncrypte d ke y us ing the random-numbe r us e r ke y:
~]$ keyctl add encrypted encr-key "new user:kmk-user 32" @u 1012412758
The list s ubcommand can be us e d to lis t all ke ys in the s pe cifie d ke rne l ke yring:
~]$ keyctl list @u 2 keys in keyring:
427069434: --alswrv 1000 1000 user: kmk-user
1012412758: --alswrv 1000 1000 encrypted: encr-key
Important
Ke e p in mind that e ncrypte d ke ys that are not s e ale d by a mas te r trus te d ke y are only as s e cure as the us e r mas te r ke y (random-numbe r ke y) us e d to e ncrypt the m.
The re fore , the mas te r us e r ke y s hould be loade d as s e cure ly as pos s ible and pre fe rably e arly during the boot proce s s .
4.10.4.2. Additional Resources
The following offline and online re s ource s can be us e d to acquire additional information pe rtaining to the us e of trus te d and e ncrypte d ke ys .
Installed Documentation
ke yctl(1) — De s cribe s the us e of the keyct l utility and its s ubcommands . Online Documentation
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic principle s of SELinux and docume nts in de tail how to configure and us e SELinux with various s e rvice s , s uch as the Apache HT T P Server.
https ://www.ke rne l.org/doc/Docume ntation/s e curity/ke ys -trus te d-e ncrypte d.txt — The official docume ntation about the trus te d and e ncrypte d ke ys fe ature of the Linux ke rne l.
See Also
Se ction A.1.1, “Advance d Encryption Standard — AES” provide s a concis e de s cription of the Advanced Encryption Standard.
Se ction A.2, “Public-ke y Encryption” de s cribe s the public-ke y cryptographic approach and the various cryptographic protocols it us e s .