Allow setkey on mount root directory containing .pefs.db

[generalmx]

When you mount a PEFS directory and then add your first key, this is the key that PEFS will use to encrypt new files by default for this mount -- this is fine except when you have more than one key in a keychain, you unlock more than one key at a time, and you use setkey on child directories. Example:

mkdir foo
mkdir foo/bar
pefs mount foo foo
pefs addchain -f -k /mnt/usb/keyfile -K /mnt/usb/keyfile -P foo
pefs addkey -k -p /mnt/usb/keyfile foo
(OK, now "foo" is encrypting files as the child key.)
pefs setkey -k /mnt/usb/keyfile -c foo/bar
(OK, now "foo/bar" is encrypting files as the parent key.)
pefs flushkeys foo
pefs addkey -k /mnt/usb/keyfile -c foo
(Now "foo/bar" is available, but "foo" is encrypting as the parent, not child.)

The current workaround would be to just never place files in the mount's root dir when using more than one key like this.

[glk]

This issue can't be resolved within current pefs design. From pefs standpoint file system root doesn't have key assigned to it, thus you can't change it. BTW this "feature" has usable side effect by letting one transparently access encrypted zfs snapshots.

Key management overhaul is planned for the next major pefs release. The general idea is to make behavior more strict:

• permit only files encrypted with directory key
• nested directories may have different keys
• there would be no notion of key order at file system level
• key chains should become exotic feature (of not dropped entirely) rather than default key storage mechanism

In this regard root directory which doesn't have key assigned remains one of the problematic areas. Desired behavior should be as close to "regular" directory handling as possible. I don't like the idea of storing root directory key anywhere. Comments and suggestions are welcome.

[DragonSA]

I would like an option to mark a directory/file to exclude encryption (i.e. ~/.ssh/autherised_keys).

[glk]

I do not intend to add option to maker file/dir to exclude encryption, it's going to be extremely confusing for the user, not to mention potential security implications. Current behavior of allowing multiple keys in same directory is already too cumbersome to keep track of. BTW multiple keys handling rules are about to get more strict in next major PEFS release -- all files in directory should be encrypted with the same key, nested directories may use another key, no plain text files allowed.

sshd may be configured to store authorized_keys outside of homedir, e.g.:

AuthorizedKeysFile      /etc/ssh/authorized_keys/%u

In fact it is possible to have authorized_keys not encrypted, although I would advise against doing so:

1. create not encrypted .ssh directory (before mounting pefs and make sure encrypted .ssh is not there)
2. put in your authorized_keys file there
3. other files in directory may be encrypted
4. NOTE that recreating authorized_keys file on encrypted file system will result in encrypted file. Appending/rewriting file in place will keep it plaintext.