143
eCryptfs Header Extent
Byte address
Content
Usage
0-7
Unencrypted file size
Generic management
8-15
eCryptfs special marker
Identification
16-19
eCryptfs flags
Identification
20-23
eCryptfs header extent size
Generic management
24-25
eCryptfs extents count
Generic management
26-(xx)
RFC2440 authentication token packet set
Cryptography
(xx)-(HS-1)
Reserved
HS-eof
Encrypted data
Payload
An eCryptfs is made of slices of contiguous data – called
Extents
– with different purposes. At the
head of the file is the
Header Extent
, providing cryptographic material and generic information
about the file. The last extent holds all the encrypted data. In between may be one or more
extra extents as defined by the header extent. Below is a hexadecimal dump of an eCryptfs file:
00000000
00 00 00 00 00 00 00 12
/* unencrypted file size */
0d 8f e7 a8 31 0e 50 5d
/* eCryptfs special marker*/
00000010
03 00 00 02
/* flags */ -- file format version == 03
-- properties = IS_ENCRYPTED
00 00 10 00
/* H.E.S.*/ -- Header Extent Size (big-endian)
00 02 -- # of headers extents
RFC2440 authentication token packet set>
8c 1d 04 07 03 01
00000020
00 11 22 33 44 55 66 77 60 da 4c 8e f7 92 60 08
00000030
61 c3 9d 59 09 73 d9 83 c4
ed 16 62 08 5f 43 4f
00000040
4e 53 4f 4c 45 00 00 00 00 5a 4a 2d 2e 49 56 73
00000050
f1
/** key signature */
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00002000
<encrypted data starts here: 2 * 0x1000>
IS IT A ECRYPTFS FILE ?
Read the special marker in the header extent. It contains two 32-bit, big-endian words
w0
and
w1
such that
XOR(w0, w1) == 0x3c81b7f5
. This is the signature of an eCryptfs file. You can then
check the flags in bytes 16 (file format version, expected to be 3) and 19 (properties, bit 1 set
indicates an encrypted file).
Application Notes
Picolo.net
Handbook