Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption

[PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-18
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Andreas Dilger <hidden> · 2017-08-18
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Theodore Ts'o <tytso@mit.edu> · 2017-08-20
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-21
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-21
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Theodore Ts'o <tytso@mit.edu> · 2017-08-21
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-21
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-28
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-31
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Theodore Ts'o <tytso@mit.edu> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-22
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-28
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Theodore Ts'o <tytso@mit.edu> · 2017-08-28
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Anand Jain <hidden> · 2017-08-29
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-31
Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption · Eric Biggers <hidden> · 2017-08-31

From: Eric Biggers <hidden>
Date: 2017-08-31 18:10:18
Also in: linux-ext4, linux-fsdevel

Hi Anand,

On Tue, Aug 29, 2017 at 11:54:47AM +0800, Anand Jain wrote:

 BTRFS has an experimental fscrypt implementation[1] which does not
include the file-name encryption part it should be included but as
an optional since not all uses cases saves sensitive information in
the file-name. OR even if the attacker is able to identify a file
called secrete.txt and break it then its still points at the
weakness of the file-data encryption. Can we say that ? apparently
from the discussion here it seems the answer is yes.

Filenames by themselves can be sensitive information, since a filename can serve
as a strong indicator of what a file is.  For example, a filename could be used
as evidence that a person had access to a certain document.

quoted

Hence, making the encryption of the filenames optional doesn't just to
make life easier for backup/restore isn't a compelling argument, since
the backup/restore program is going to have to have special case
handling for fscrypt protected file systems *anyway*.

 fscrypt backup and restore does not work even without file-name
encryption because the Extended Attribute needs special ioctl in the
fscrypt (I did rise this objection before).

 But its entirely possible to create a string based encryption
metadata which can be updated/retrieved using the legacy backup
tools such as

  rsync --xattrs

 That will be a design for fscryptv2 probably..

 OR I mean to say possible optional file-name encryption is not the
ground reason for the encrypted backup and restore challenge.

This was already discussed.  You cannot simply add and remove the encryption
xattr from random files and directories; what happens to all the open file
descriptors, memory maps, pagecache pages, dcache entries, etc.?  Are the
existing contents and directory entries supposed to be left unencrypted, or are
they supposed to be already encrypted, or is the filesystem supposed to
automatically encrypt them when the xattr is set?  What about when the xattr is
removed?  Again, you're of course free to propose a design which takes into
account all of this and makes the argument for adding an xattr-based API, but I
haven't seen it yet.

Eric

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help