From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
To: Alex Elsayed <eternaleye@gmail.com>
Cc: linux-btrfs@vger.kernel.org
Subject: Re: [RFC] Preliminary BTRFS Encryption
Date: Mon, 19 Sep 2016 14:57:33 -0400 [thread overview]
Message-ID: <20160919185733.GH21290@hungrycats.org> (raw)
In-Reply-To: <nriqf8$da6$2@blaine.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]
On Sat, Sep 17, 2016 at 07:13:45AM +0000, Alex Elsayed wrote:
> IMO, this is already a flawed framing - in particular, if encrypting at
> the extent level, one _should not_ be encrypting (or authenticating)
> individual pages. The meaningful unit is the extent, and encrypting at
> page granularity puts you right back where dmcrypt is: dealing with fixed-
> size space, and needing to find somewhere else to put the auth tag.
>
> This is not a good place to be, and I strongly suspect it motivated
> choosing XTS in the first place - something I feel is an _error_ in the
> long run, and a dangerous one. (IMO, anything _but_ AEAD should be
> forbidden in FS-level encryption.)
>
> In a nonce-misuse-resistent AEAD, there _is_ no auth tag: There's some
> amount of inherent ciphertext expansion, and the ciphertext _cannot be
> decrypted at all_ unless all of it is present. In essence, a built-in all-
> or-nothing transform.
>
> You could, potentially, chop off part of that and store it elsewhere, but
> now you're dealing with significant added complexity, for absolutely zero
> gain.
That would be true if the problem were not already long solved in btrfs.
The 32-bit CRC tree stores 4 bytes per block separately and efficiently.
With minor changes it can store a 32-byte HMAC for each block.
> If you're _not_ using a nonce-misuse-resistant AEAD, it's even worse:
> keeping the tag out-of-band makes it far too easy to fail to verify it,
> or verify it only after decrypting the ciphertext to plaintext. Bluntly:
> that is an immediate security vulnerability.
>
> tl;dr: Don't encrypt pages, encrypt extents. They grow a little for the
> auth tag, and that's fine.
>
> Btrfs already handles needing to read the full extent in order to get a
> page out of it with compression, anyway.
It does, but compressed extents are limited to 128K. Uncompressed extents
come in sizes up to 128M, far too large to read in their entirety for
many applications.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2016-09-19 18:58 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-13 13:39 [RFC] Preliminary BTRFS Encryption Anand Jain
2016-09-13 13:39 ` [PATCH] btrfs: Encryption: Add btrfs encryption support Anand Jain
2016-09-13 14:12 ` kbuild test robot
2016-09-13 14:24 ` kbuild test robot
2016-09-13 16:10 ` kbuild test robot
2016-09-13 13:39 ` [PATCH 1/2] btrfs-progs: make wait_for_commit non static Anand Jain
2016-09-13 13:39 ` [PATCH 2/2] btrfs-progs: add encryption support Anand Jain
2016-09-13 13:39 ` [PATCH] fstests: btrfs: support encryption Anand Jain
2016-09-13 16:42 ` [RFC] Preliminary BTRFS Encryption Wilson Meier
2016-09-14 7:02 ` Anand Jain
2016-09-14 18:26 ` Wilson Meier
2016-09-15 4:53 ` Alex Elsayed
2016-09-15 11:33 ` Anand Jain
2016-09-15 11:47 ` Alex Elsayed
2016-09-16 11:35 ` Anand Jain
2016-09-15 5:38 ` Chris Murphy
2016-09-15 11:32 ` Anand Jain
2016-09-15 11:37 ` Austin S. Hemmelgarn
2016-09-15 14:06 ` Anand Jain
2016-09-15 14:24 ` Austin S. Hemmelgarn
2016-09-16 8:58 ` David Sterba
2016-09-17 2:18 ` Zygo Blaxell
2016-09-16 1:12 ` Dave Chinner
2016-09-16 5:47 ` Roman Mamedov
2016-09-16 6:49 ` Alex Elsayed
2016-09-17 4:38 ` Zygo Blaxell
2016-09-17 6:37 ` Alex Elsayed
2016-09-19 18:08 ` Zygo Blaxell
2016-09-19 20:01 ` Alex Elsayed
2016-09-19 22:22 ` Zygo Blaxell
2016-09-19 22:25 ` Chris Murphy
2016-09-19 22:31 ` Zygo Blaxell
2016-09-20 1:10 ` Zygo Blaxell
2016-09-17 18:45 ` David Sterba
2016-09-20 14:26 ` Anand Jain
2016-09-16 10:45 ` Brendan Hide
2016-09-16 11:46 ` Anand Jain
2016-09-16 8:49 ` David Sterba
2016-09-16 11:56 ` Anand Jain
2016-09-17 20:35 ` David Sterba
2016-09-18 8:34 ` RAID1 availability issue[2], Hot-spare and auto-replace Anand Jain
2016-09-18 17:28 ` Chris Murphy
2016-09-18 17:34 ` Chris Murphy
2016-09-19 2:25 ` Anand Jain
2016-09-19 12:07 ` Austin S. Hemmelgarn
2016-09-19 12:25 ` Austin S. Hemmelgarn
2016-09-18 9:54 ` [RFC] Preliminary BTRFS Encryption Anand Jain
2016-09-20 0:12 ` Chris Mason
2016-09-20 0:55 ` Anand Jain
2016-09-17 6:58 ` Eric Biggers
2016-09-17 7:13 ` Alex Elsayed
2016-09-19 18:57 ` Zygo Blaxell [this message]
2016-09-19 19:50 ` Alex Elsayed
2016-09-19 22:12 ` Zygo Blaxell
2016-09-17 16:12 ` Anand Jain
2016-09-17 18:57 ` Chris Murphy
2016-09-19 15:15 ` Experimental btrfs encryption Theodore Ts'o
2016-09-19 20:58 ` Alex Elsayed
2016-09-20 0:32 ` Chris Mason
2016-09-20 2:47 ` Alex Elsayed
2016-09-20 2:50 ` Theodore Ts'o
2016-09-20 3:05 ` Alex Elsayed
2016-09-20 4:09 ` Zygo Blaxell
2016-09-20 15:44 ` Chris Mason
2016-09-21 13:52 ` Anand Jain
2016-09-20 4:05 ` Anand Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160919185733.GH21290@hungrycats.org \
--to=ce3g8jdj@umail.furryterror.org \
--cc=eternaleye@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).