From: Daniel Vacek <neelx@suse.com>
To: Qu Wenruo <wqu@suse.com>
Cc: linux-crypto@vger.kernel.org,
linux-btrfs <linux-btrfs@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Josef Bacik <josef@toxicpanda.com>
Subject: Re: Questions about encryption and (possibly weak) checksum
Date: Fri, 21 Nov 2025 14:02:54 +0100 [thread overview]
Message-ID: <CAPjX3Ffrs28a6wC3PvtXpPy5Hw9pOmGYqchpg7WRtTwdDo1mgg@mail.gmail.com> (raw)
In-Reply-To: <48a91ada-c413-492f-86a4-483355392d98@suse.com>
On Thu, 20 Nov 2025 at 22:58, Qu Wenruo <wqu@suse.com> wrote:
> Hi,
>
> Recently Daniel is reviving the fscrypt support for btrfs, and one thing
> caught my attention, related the sequence of encryption and checksum.
>
> What is the preferred order between encryption and (possibly weak) checksum?
>
> The original patchset implies checksum-then-encrypt, which follows what
> ext4 is doing when both verity and fscrypt are involved.
If by "the original patchset" you mean the few latest btrfs encryption
support iterations sent by Josef a couple years back then you may have
misunderstood the implementation. The design is precisely taking
checksum of the encrypted data which is exactly the right thing to do.
And I'm not touching that part at all. You can check it out when I'll
post the next iteration (or check the v5 on ML archive).
But I'm happy you care :-)
--nX
> But on the other hand, btrfs' default checksum (CRC32C) is definitely
> not a cryptography level HMAC, it's mostly for btrfs to detect incorrect
> content from the storage and switch to another mirror.
>
> Furthermore, for compression, btrfs follows the idea of
> compress-then-checksum, thus to me the idea of encrypt-then-checksum
> looks more straightforward, and easier to implement.
>
> Finally, the btrfs checksum itself is not encrypted (at least for now),
> meaning the checksum is exposed for any one to modify as long as they
> understand how to re-calculate the checksum of the metadata.
>
>
> So my question here is:
>
> - Is there any preferred sequence between encryption and checksum?
>
> - Will a weak checksum (CRC32C) introduce any extra attack vector?
>
> Thanks,
> Qu
next prev parent reply other threads:[~2025-11-21 13:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 21:58 Questions about encryption and (possibly weak) checksum Qu Wenruo
2025-11-20 22:32 ` Eric Biggers
2025-11-20 22:36 ` Qu Wenruo
2025-11-21 13:02 ` Daniel Vacek [this message]
2025-11-21 19:08 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPjX3Ffrs28a6wC3PvtXpPy5Hw9pOmGYqchpg7WRtTwdDo1mgg@mail.gmail.com \
--to=neelx@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).