Re: Encrypting BTRFS Volume

[CACook@quantum-sci.com]

On Monday, December 03, 2012 07:41:09 AM B. J. Potter wrote:
> Ecryptfs is not made for volumes. You make a folder that holds your
> encrypted files. Then you mount it at another location that's in the
> clear. Perhaps your looking for full-disk encryption instead of
> filesystem-level encryption. Here's a note from the btrfs wikipedia
> page:
> 
> The current recommendation for encryption with btrfs is to use a
> full-disk encryption mechanism such as dm-crypt or LUKS on the
> underlying devices, and to create the btrfs filesystem on top of that
> layer (and that if a RAID is to be used with encryption, encrypting a
> dm-raid device or a hardware-RAID device gives much faster disk
> performance than dm-crypt overlaid by btrfs's own filesystem-level
> RAID features)

That may be on the Wikipedia page, but here's what's in the BTRFS FAQ:
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F
--------------------------------------------------------------------
Does btrfs support encryption?

No. This is a hard task and easy to do wrong (on a filesystem level). There's nobody actively working on it, although you may have heard it's planned (year 2009), try to understand it like not impossible. Instead, you should use available whole-disk encryption solutions such as dm-crypt or LUKS.

This pretty much forbids you to use btrfs' cool RAID features if you need encryption. Using a RAID implementation on top of several encrypted disks is much slower than using encryption on top of a RAID device. So the RAID implementation must be on a lower layer than the encryption, which is not possible using btrfs' RAID support.

Note: there is an option to use a btrfs internal raid1 for data and metadata: create the filesystem with --mixed option (and DUP profiles), but this may impact performace for volume sizes > 15G (or so).

Another solution is to use stacked encrypting layer like ecryptfs. This does not have the disadvantage mentioned in the paragraph above.

Last but not least it the fuse-based filesystem encfs working as a encrypting layer on top of normal filesystem. Note that the performance may be impacted (dive into fuse details for more). --------------------------------------------------------------------

And this is why I'm here.