From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anand Jain Subject: Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption Date: Tue, 22 Aug 2017 23:33:51 +0800 Message-ID: <7d4a9f66-7473-2e36-09bb-79d7885301bd@oracle.com> References: <20170818194730.61575-1-ebiggers3@gmail.com> <9a86b7af-5e07-9b6f-958a-bd72ab28926e@oracle.com> <20170822025545.GA3577@zzz.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-fscrypt@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, "Theodore Y . Ts'o" , Jaegeuk Kim , Richard Weinberger , Michael Halcrow , Eric Biggers To: Eric Biggers Return-path: In-Reply-To: <20170822025545.GA3577@zzz.localdomain> Content-Language: en-US Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-ext4.vger.kernel.org On 08/22/2017 10:55 AM, Eric Biggers wrote: > On Tue, Aug 22, 2017 at 10:22:30AM +0800, Anand Jain wrote: >> >> Hi Eric, >> >> How about a section on the threat model specific to the file-name ? >> >> (Sorry if I am missing something). >> >> Thanks, Anand > > It's already mentioned that filenames are encrypted: "fscrypt protects the > confidentiality of file contents and filenames in the event of a single > point-in-time permanent offline compromise of the block device content." > There's not much more to it than that; all the other points in the "Threat > model" section (offline manipulations, timing attacks, access control, key > eviction, etc.) are essentially the same between contents and filenames > encryption. Do you think if application does not keep the sensitive information in the file-name, would that remove the file-name from the list of items that should be protected ? Thanks, Anand