Questions about encryption and (possibly weak) checksum

Questions about encryption and (possibly weak) checksum

[Qu Wenruo]

Hi,

Recently Daniel is reviving the fscrypt support for btrfs, and one thing 
caught my attention, related the sequence of encryption and checksum.

What is the preferred order between encryption and (possibly weak) checksum?

The original patchset implies checksum-then-encrypt, which follows what 
ext4 is doing when both verity and fscrypt are involved.


But on the other hand, btrfs' default checksum (CRC32C) is definitely 
not a cryptography level HMAC, it's mostly for btrfs to detect incorrect 
content from the storage and switch to another mirror.

Furthermore, for compression, btrfs follows the idea of 
compress-then-checksum, thus to me the idea of encrypt-then-checksum 
looks more straightforward, and easier to implement.

Finally, the btrfs checksum itself is not encrypted (at least for now), 
meaning the checksum is exposed for any one to modify as long as they 
understand how to re-calculate the checksum of the metadata.


So my question here is:

- Is there any preferred sequence between encryption and checksum?

- Will a weak checksum (CRC32C) introduce any extra attack vector?

Thanks,
Qu

Re: Questions about encryption and (possibly weak) checksum

[Eric Biggers]

On Fri, Nov 21, 2025 at 08:28:38AM +1030, Qu Wenruo wrote:
> Hi,
> 
> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
> caught my attention, related the sequence of encryption and checksum.
> 
> What is the preferred order between encryption and (possibly weak) checksum?
> 
> The original patchset implies checksum-then-encrypt, which follows what ext4
> is doing when both verity and fscrypt are involved.
> 
> 
> But on the other hand, btrfs' default checksum (CRC32C) is definitely not a
> cryptography level HMAC, it's mostly for btrfs to detect incorrect content
> from the storage and switch to another mirror.
> 
> Furthermore, for compression, btrfs follows the idea of
> compress-then-checksum, thus to me the idea of encrypt-then-checksum looks
> more straightforward, and easier to implement.
> 
> Finally, the btrfs checksum itself is not encrypted (at least for now),
> meaning the checksum is exposed for any one to modify as long as they
> understand how to re-calculate the checksum of the metadata.
> 
> 
> So my question here is:
> 
> - Is there any preferred sequence between encryption and checksum?
> 
> - Will a weak checksum (CRC32C) introduce any extra attack vector?

If you won't be encrypting the checksums, then it needs to be
encrypt+checksum so that the checksums don't leak information about the
plaintext.  It doesn't matter how "strong" the checksum is.

- Eric

Re: Questions about encryption and (possibly weak) checksum

[Qu Wenruo]

在 2025/11/21 09:02, Eric Biggers 写道:
> On Fri, Nov 21, 2025 at 08:28:38AM +1030, Qu Wenruo wrote:
>> Hi,
>>
>> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
>> caught my attention, related the sequence of encryption and checksum.
>>
>> What is the preferred order between encryption and (possibly weak) checksum?
>>
>> The original patchset implies checksum-then-encrypt, which follows what ext4
>> is doing when both verity and fscrypt are involved.
>>
>>
>> But on the other hand, btrfs' default checksum (CRC32C) is definitely not a
>> cryptography level HMAC, it's mostly for btrfs to detect incorrect content
>> from the storage and switch to another mirror.
>>
>> Furthermore, for compression, btrfs follows the idea of
>> compress-then-checksum, thus to me the idea of encrypt-then-checksum looks
>> more straightforward, and easier to implement.
>>
>> Finally, the btrfs checksum itself is not encrypted (at least for now),
>> meaning the checksum is exposed for any one to modify as long as they
>> understand how to re-calculate the checksum of the metadata.
>>
>>
>> So my question here is:
>>
>> - Is there any preferred sequence between encryption and checksum?
>>
>> - Will a weak checksum (CRC32C) introduce any extra attack vector?
> 
> If you won't be encrypting the checksums, then it needs to be
> encrypt+checksum so that the checksums don't leak information about the
> plaintext.  It doesn't matter how "strong" the checksum is.

Great, that matches my expectation.

Thanks,
Qu

> - Eric

Re: Questions about encryption and (possibly weak) checksum

[Daniel Vacek]

On Thu, 20 Nov 2025 at 22:58, Qu Wenruo <wqu@suse.com> wrote:
> Hi,
>
> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
> caught my attention, related the sequence of encryption and checksum.
>
> What is the preferred order between encryption and (possibly weak) checksum?
>
> The original patchset implies checksum-then-encrypt, which follows what
> ext4 is doing when both verity and fscrypt are involved.

If by "the original patchset" you mean the few latest btrfs encryption
support iterations sent by Josef a couple years back then you may have
misunderstood the implementation. The design is precisely taking
checksum of the encrypted data which is exactly the right thing to do.
And I'm not touching that part at all. You can check it out when I'll
post the next iteration (or check the v5 on ML archive).

But I'm happy you care :-)

--nX

> But on the other hand, btrfs' default checksum (CRC32C) is definitely
> not a cryptography level HMAC, it's mostly for btrfs to detect incorrect
> content from the storage and switch to another mirror.
>
> Furthermore, for compression, btrfs follows the idea of
> compress-then-checksum, thus to me the idea of encrypt-then-checksum
> looks more straightforward, and easier to implement.
>
> Finally, the btrfs checksum itself is not encrypted (at least for now),
> meaning the checksum is exposed for any one to modify as long as they
> understand how to re-calculate the checksum of the metadata.
>
>
> So my question here is:
>
> - Is there any preferred sequence between encryption and checksum?
>
> - Will a weak checksum (CRC32C) introduce any extra attack vector?
>
> Thanks,
> Qu

Re: Questions about encryption and (possibly weak) checksum

[Qu Wenruo]

在 2025/11/21 23:32, Daniel Vacek 写道:
> On Thu, 20 Nov 2025 at 22:58, Qu Wenruo <wqu@suse.com> wrote:
>> Hi,
>>
>> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
>> caught my attention, related the sequence of encryption and checksum.
>>
>> What is the preferred order between encryption and (possibly weak) checksum?
>>
>> The original patchset implies checksum-then-encrypt, which follows what
>> ext4 is doing when both verity and fscrypt are involved.
> 
> If by "the original patchset" you mean the few latest btrfs encryption
> support iterations sent by Josef a couple years back then you may have
> misunderstood the implementation. The design is precisely taking
> checksum of the encrypted data which is exactly the right thing to do.
> And I'm not touching that part at all. You can check it out when I'll
> post the next iteration (or check the v5 on ML archive).

Then you really make me confused.

What's the problem of the existing 
fscrypt_encrypt_pagecache_blocks()/fscrypt_encryt_pages()?
They don't introduce any limits like the new proposed callback hook, 
which has limits on the checksum calculation (can not be delayed), can 
not split bios etc.

And all existing filesystems like f2fs/ext4/ceph are using them fine, 
and using that interface is completely compatible with any btrfs 
specific features (read-verification/read-repair/bio split etc).

That idea completely discard the layer separation, and I didn't see any 
reason why that must to be done in that way.

Thanks,
Qu

> 
> But I'm happy you care :-)
> 
> --nX
> 
>> But on the other hand, btrfs' default checksum (CRC32C) is definitely
>> not a cryptography level HMAC, it's mostly for btrfs to detect incorrect
>> content from the storage and switch to another mirror.
>>
>> Furthermore, for compression, btrfs follows the idea of
>> compress-then-checksum, thus to me the idea of encrypt-then-checksum
>> looks more straightforward, and easier to implement.
>>
>> Finally, the btrfs checksum itself is not encrypted (at least for now),
>> meaning the checksum is exposed for any one to modify as long as they
>> understand how to re-calculate the checksum of the metadata.
>>
>>
>> So my question here is:
>>
>> - Is there any preferred sequence between encryption and checksum?
>>
>> - Will a weak checksum (CRC32C) introduce any extra attack vector?
>>
>> Thanks,
>> Qu
>