inline-encryption.rst - OpenGrok cross reference for /linux-6.15/Documentation/block/inline-encryption.rst

Lines Matching refs:wrapped
81 hardware-wrapped); the actual bytes of the key; the size of the key; the
307 Hardware-wrapped keys
337 Hardware-wrapped keys are a feature of inline encryption hardware that is
384 made their hardware support *hardware-wrapped keys*.  Hardware-wrapped keys
389 (We refer to them as "hardware-wrapped keys" rather than simply "wrapped keys"
390 to add some clarity in cases where there could be other types of wrapped keys,
393 The key which wraps (encrypts) hardware-wrapped keys is a hardware-internal key
396 wrapped form of the key is what is initially unlocked, but it is erased from
397 memory as soon as it is converted into an ephemerally-wrapped key.  In-use
398 hardware-wrapped keys are always ephemerally-wrapped, not long-term wrapped.
410 Here is the key hierarchy for a hardware-wrapped key::
412                        Hardware-wrapped key
423 - *Hardware-wrapped key*: a key for the hardware's KDF (Key Derivation
424   Function), in ephemerally-wrapped form.  The key wrapping algorithm is a
429   derive subkeys after unwrapping the wrapped key.  The hardware's choice of KDF
451 particular set of encrypted directories) is made hardware-wrapped.  The inline
457 hardware-wrapped key, without any further key derivation.  Thus, in the case of
458 fscrypt, currently hardware-wrapped keys are only compatible with the "inline
469 been extended to support hardware-wrapped keys as an alternative to raw keys,
474   they support raw keys, hardware-wrapped keys, or both.
476 - ``struct blk_crypto_key`` can now contain a hardware-wrapped key as an
479   This allows users of blk-crypto to en/decrypt data using a hardware-wrapped
483   that support hardware-wrapped keys must implement this method.  Users of
486 - The programming and eviction of hardware-wrapped keys happens via
489   driver supports hardware-wrapped keys, then it must handle hardware-wrapped
492 blk-crypto-fallback doesn't support hardware-wrapped keys.  Therefore,
493 hardware-wrapped keys can only be used with actual inline encryption hardware.
495 All the above deals with hardware-wrapped keys in ephemerally-wrapped form only.
499 - ``BLKCRYPTOIMPORTKEY`` converts a raw key to long-term wrapped form.  It takes
503   the resulting long-term wrapped key blob to the buffer pointed to by
507   does not support hardware-wrapped keys.  An errno of ``EOVERFLOW`` indicates
514 - ``BLKCRYPTOPREPAREKEY`` converts a key from long-term wrapped form to
515   ephemerally-wrapped form.  It takes in a pointer to a ``struct
517   ``lt_key_size`` to the pointer and size (in bytes) of the long-term wrapped
519   the resulting ephemerally-wrapped key blob to the buffer pointed to by
524   that the long-term wrapped key is invalid.
529 raw keys; they are only for hardware-wrapped keys.
548 "import" mode, see the fscrypt hardware-wrapped key tests in xfstests, or