From: Eric Biggers <ebiggers3@gmail.com>
To: Anand Jain <anand.jain@oracle.com>
Cc: Theodore Ts'o <tytso@mit.edu>,
linux-fscrypt@vger.kernel.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
Jaegeuk Kim <jaegeuk@kernel.org>,
Richard Weinberger <richard@nod.at>,
Michael Halcrow <mhalcrow@google.com>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH] fscrypt: add a documentation file for filesystem-level encryption
Date: Thu, 31 Aug 2017 11:10:15 -0700 [thread overview]
Message-ID: <20170831181015.GC5023@gmail.com> (raw)
In-Reply-To: <93100bd1-d4f7-3e4f-0e4a-6f8bb2787b6f@oracle.com>
Hi Anand,
On Tue, Aug 29, 2017 at 11:54:47AM +0800, Anand Jain wrote:
>
> BTRFS has an experimental fscrypt implementation[1] which does not
> include the file-name encryption part it should be included but as
> an optional since not all uses cases saves sensitive information in
> the file-name. OR even if the attacker is able to identify a file
> called secrete.txt and break it then its still points at the
> weakness of the file-data encryption. Can we say that ? apparently
> from the discussion here it seems the answer is yes.
>
Filenames by themselves can be sensitive information, since a filename can serve
as a strong indicator of what a file is. For example, a filename could be used
as evidence that a person had access to a certain document.
> >Hence, making the encryption of the filenames optional doesn't just to
> >make life easier for backup/restore isn't a compelling argument, since
> >the backup/restore program is going to have to have special case
> >handling for fscrypt protected file systems *anyway*.
>
> fscrypt backup and restore does not work even without file-name
> encryption because the Extended Attribute needs special ioctl in the
> fscrypt (I did rise this objection before).
>
> But its entirely possible to create a string based encryption
> metadata which can be updated/retrieved using the legacy backup
> tools such as
>
> rsync --xattrs
>
> That will be a design for fscryptv2 probably..
>
> OR I mean to say possible optional file-name encryption is not the
> ground reason for the encrypted backup and restore challenge.
>
This was already discussed. You cannot simply add and remove the encryption
xattr from random files and directories; what happens to all the open file
descriptors, memory maps, pagecache pages, dcache entries, etc.? Are the
existing contents and directory entries supposed to be left unencrypted, or are
they supposed to be already encrypted, or is the filesystem supposed to
automatically encrypt them when the xattr is set? What about when the xattr is
removed? Again, you're of course free to propose a design which takes into
account all of this and makes the argument for adding an xattr-based API, but I
haven't seen it yet.
Eric
next prev parent reply other threads:[~2017-08-31 18:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-18 19:47 [PATCH] fscrypt: add a documentation file for filesystem-level encryption Eric Biggers
2017-08-18 21:06 ` Andreas Dilger
2017-08-20 2:32 ` Theodore Ts'o
2017-08-21 22:33 ` Eric Biggers
2017-08-21 13:44 ` Anand Jain
2017-08-21 21:02 ` Theodore Ts'o
2017-08-21 23:08 ` Eric Biggers
2017-08-22 2:22 ` Anand Jain
2017-08-22 3:07 ` Eric Biggers
2017-08-22 15:35 ` Anand Jain
2017-08-22 17:36 ` Eric Biggers
2017-08-28 12:18 ` Anand Jain
2017-08-31 18:14 ` Eric Biggers
2017-08-22 3:07 ` Theodore Ts'o
2017-08-22 2:22 ` Anand Jain
2017-08-22 2:55 ` Eric Biggers
2017-08-22 15:33 ` Anand Jain
2017-08-22 17:07 ` Eric Biggers
2017-08-28 12:18 ` Anand Jain
2017-08-28 14:22 ` Theodore Ts'o
2017-08-29 3:54 ` Anand Jain
2017-08-31 18:10 ` Eric Biggers [this message]
2017-08-31 17:50 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170831181015.GC5023@gmail.com \
--to=ebiggers3@gmail.com \
--cc=anand.jain@oracle.com \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=richard@nod.at \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).