From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: Anand Jain <anand.jain@oracle.com>, linux-btrfs@vger.kernel.org
Cc: clm@fb.com, dsterba@suse.cz
Subject: Re: [RFC] Experimental btrfs encryption
Date: Tue, 1 Mar 2016 11:41:51 -0500 [thread overview]
Message-ID: <56D5C64F.3000800@gmail.com> (raw)
In-Reply-To: <1456848492-4814-1-git-send-email-anand.jain@oracle.com>
On 2016-03-01 11:08, Anand Jain wrote:
> This patchset adds btrfs encryption support.
While I think this is a great feature to have, I personally think we're
better off waiting for the ext4/F2FS encryption API's to get pushed up
to the VFS layer in mainline, and then use those for the user facing API
(or at least support them). That said, general comments below.
>
> Warning:
> The code is in prototype/experimental stage and is not suitable
> for the production data yet.
>
> Example usage:
> Create an encrypted subvolume:
> btrfs subvol create -e /btrfs/sv1
> Paraphrase: <-
Is there any way to do encryption per file instead of per-subvolume?
This is a useful feature for a lot of people, and would provide better
consistency with how most other filesystem-level encryption designs
work. That said, I do like the possibility of per-subvolume encryption,
as it allows for things like per-user encrypted home directories without
needing some extra layer like ecryptfs.
>
> Review encryption status
> btrfs subvol show /btrfs/sv1
> btrfs/sv1
> Name: sv1
> UID: d8bf1718-56a7-da40-86d9-b8e87315f63f
> Parent UUID: -
> Received UUID: -
> Creation time: 2016-03-01 17:11:58 +0800
> Subvolume ID: 257
> Generation: 13
> Gen at creation:7
> Parent ID: 5
> Top level ID: 5
> Flags: -
> Encryption: aes@btrfs:d8bf1718 (188612608)
> ^ ^^^^^^^^^^^^^^ ^^^^^^^^^
> | | |
> Algorithm Key-Tag Key-serial-number
>
> keyctl show
> ::
> 188612608 --alswrv 0 0 \_ user: btrfs:d8bf1718
>
> Logout/revoke:
> btrfs subvol encrypt -k out /btrfs/sv1
> btrfs subvol show /btrfs/sv1 | egrep Encrypt
> Encryption: aes@btrfs:d8bf1718 (Required key not available)
>
> sign in:
> btrfs subvol encrypt -k in /btrfs/sv1
>
> Known issues / limitation / for future expansion:
> - Need to set FS incompatible feature.
>
> - No password verification yet.
These two are absolutely essential from a data safety POV.
>
> - Move of files across subvolume is not supported when both
> or either one has encryption set.
>
> - No way to change the password.
>
> - Does not drop the cached pages when key is revoked.
This is essential from a security POV.
>
> - Need to get password twice from the user.
>
> - No user permeable subvol info ioctl.
>
> - Provide a method to pass key using the mount option.
>
> - Provide a method to read the key from the file.
>
> - Current encryption method is symmetric (same key for both
> encryption and decryption), however we could easily expand
> this to other potentially useful methods like asymmetric
> (private/public) encryption.
>
> - As of now uses "user" keytype, I am still considering/
> evaluating other key type such as logon.
>
> - Evaluate other encryption algorithms, as of now it is
> using "cts(cbc(aes)".
While this would be nice (I would love to see full CryptoAPI support),
it probably shouldn't be considered a deal breaker for merging this or
declaring it production ready.
>
> - Uses btrfs compression framework, so compression and then
> encryption is not possible. However yet evaluate if there
> are encryption algorithm which can compress as well.
The utility of this is debatable. Most other filesystems that support
both compression and encryption support only one or the other for a
given file, encrypting compressed data is overall less secure than
encrypting the data itself, and trying to compress encrypted data
usually just wastes CPU time.
next prev parent reply other threads:[~2016-03-01 16:42 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-01 16:08 [RFC] Experimental btrfs encryption Anand Jain
2016-03-01 16:08 ` [RFC PATCH 1/1] btrfs: Encryption: Add btrfs encryption support Anand Jain
2016-03-10 2:19 ` Liu Bo
2016-05-06 9:21 ` Anand Jain
2016-03-01 16:08 ` [RFC PATCH 1/2] btrfs-progs: subvolume functions reorg Anand Jain
2016-03-01 16:08 ` [RFC PATCH 2/2] btrfs-progs: Encryption: add encrypt sub cli Anand Jain
2016-03-01 16:29 ` [RFC] Experimental btrfs encryption Tomasz Torcz
2016-03-01 16:46 ` Chris Mason
2016-03-01 17:56 ` Austin S. Hemmelgarn
2016-03-01 17:59 ` Christoph Hellwig
2016-03-01 18:23 ` Chris Mason
2016-03-02 4:48 ` Anand Jain
2016-03-04 12:30 ` Austin S. Hemmelgarn
2016-03-01 16:41 ` Austin S. Hemmelgarn [this message]
2016-03-02 1:44 ` Qu Wenruo
2016-03-02 8:50 ` Anand Jain
2016-03-03 1:12 ` Qu Wenruo
2016-03-02 7:07 ` Anand Jain
2016-03-02 1:06 ` Qu Wenruo
2016-03-02 9:09 ` Anand Jain
2016-03-03 1:26 ` Qu Wenruo
2016-03-03 10:17 ` Alex Elsayed
2016-03-04 2:52 ` Anand Jain
2016-03-20 11:56 ` Martin Steigerwald
2016-03-03 1:58 ` Anand Jain
2016-03-22 14:25 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D5C64F.3000800@gmail.com \
--to=ahferroin7@gmail.com \
--cc=anand.jain@oracle.com \
--cc=clm@fb.com \
--cc=dsterba@suse.cz \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).