From: Eric Biggers <ebiggers@kernel.org>
To: Qu Wenruo <wqu@suse.com>
Cc: linux-crypto@vger.kernel.org,
linux-btrfs <linux-btrfs@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Daniel Vacek <neelx@suse.com>, Josef Bacik <josef@toxicpanda.com>
Subject: Re: Questions about encryption and (possibly weak) checksum
Date: Thu, 20 Nov 2025 22:32:48 +0000 [thread overview]
Message-ID: <20251120223248.GA3532564@google.com> (raw)
In-Reply-To: <48a91ada-c413-492f-86a4-483355392d98@suse.com>
On Fri, Nov 21, 2025 at 08:28:38AM +1030, Qu Wenruo wrote:
> Hi,
>
> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
> caught my attention, related the sequence of encryption and checksum.
>
> What is the preferred order between encryption and (possibly weak) checksum?
>
> The original patchset implies checksum-then-encrypt, which follows what ext4
> is doing when both verity and fscrypt are involved.
>
>
> But on the other hand, btrfs' default checksum (CRC32C) is definitely not a
> cryptography level HMAC, it's mostly for btrfs to detect incorrect content
> from the storage and switch to another mirror.
>
> Furthermore, for compression, btrfs follows the idea of
> compress-then-checksum, thus to me the idea of encrypt-then-checksum looks
> more straightforward, and easier to implement.
>
> Finally, the btrfs checksum itself is not encrypted (at least for now),
> meaning the checksum is exposed for any one to modify as long as they
> understand how to re-calculate the checksum of the metadata.
>
>
> So my question here is:
>
> - Is there any preferred sequence between encryption and checksum?
>
> - Will a weak checksum (CRC32C) introduce any extra attack vector?
If you won't be encrypting the checksums, then it needs to be
encrypt+checksum so that the checksums don't leak information about the
plaintext. It doesn't matter how "strong" the checksum is.
- Eric
next prev parent reply other threads:[~2025-11-20 22:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 21:58 Questions about encryption and (possibly weak) checksum Qu Wenruo
2025-11-20 22:32 ` Eric Biggers [this message]
2025-11-20 22:36 ` Qu Wenruo
2025-11-21 13:02 ` Daniel Vacek
2025-11-21 19:08 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251120223248.GA3532564@google.com \
--to=ebiggers@kernel.org \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=neelx@suse.com \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.