Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: EXT4 Might Work On Transparent Encryption Support

  1. #11
    Join Date
    Oct 2006
    Location
    Israel
    Posts
    635

    Default

    Quote Originally Posted by Pajn View Post
    I can't see any reason for this over LUKS.
    For file-systems like ZFS and Btrfs yes, but EXT no.
    Unless there's a huge performance win in having FS-level encryption - I fail to see why *any* FS should have its own encryption support.
    Instead of solving security and performance issues in one layer (dm-crypt) you are now forced to solve the same (?) issue across different FS' (ext4-crypt, btrfs-crypt, etc).
    Granted, all FS' can share the same crypto code and implement it differently on disk - but this will be more-or-less the same as improving dm-crypt (which in the case of btrfs COW, may be a hard requirement).

    - Gilboa
    DEV: Intel S2600C0, 2xE52658V2, 32GB, 4x2TB, GTX780, F20/x86_64, Dell U2711.
    SRV: Intel S5520SC, 2xX5680, 36GB, 4x2TB, GTX550, F20/x86_64, Dell U2412..
    BACK: Tyan Tempest i5400XT, 2xE5335, 8GB, 3x1.5TB, 9800GTX, F20/x86-64.
    LAP: ASUS N56VJ, i7-3630QM, 16GB, 1TB, 635M, F20/x86_64.

  2. #12
    Join Date
    Oct 2006
    Location
    Israel
    Posts
    635

    Default

    Quote Originally Posted by jaxxed View Post
    Using LUKs with ZFS and BTRFS is not great for the perfomance/stability, but it is also a pain for the user in any multi-disk case. You have to have separate LUKS paritions, and end up repeatedly entering LUKS passhrases.
    Seems to be distro specific issue.
    At least in Fedora and RHEL/CentOS (Plymouth), the initial password is used to unlock all crypto partitions.
    You get a second prompt only if the initial password fails.

    - Gilboa
    DEV: Intel S2600C0, 2xE52658V2, 32GB, 4x2TB, GTX780, F20/x86_64, Dell U2711.
    SRV: Intel S5520SC, 2xX5680, 36GB, 4x2TB, GTX550, F20/x86_64, Dell U2412..
    BACK: Tyan Tempest i5400XT, 2xE5335, 8GB, 3x1.5TB, 9800GTX, F20/x86-64.
    LAP: ASUS N56VJ, i7-3630QM, 16GB, 1TB, 635M, F20/x86_64.

  3. #13
    Join Date
    Jul 2012
    Posts
    149

    Default

    Quote Originally Posted by zxy_thf View Post
    I don't see the point to replace full-disk encryption(luks) with fs-level encryption (e.g. eCryptfs). They are two different things.
    As we can see, MS Windows supports the both; NTFS has supported EFS for a while (since 2000?), and they still introduced BitLocker in Vista.

    In most cases fs-level encryption only protects the content of files, but not the metadata of files. For security reasons I prefer full-disk encryption, esp. with AES-NI hardware it's nearly free.
    I'd say it depends. For many applications I don't really need crypto everywhere, just on sensitive data.

    AES hardware is fine but it has its limits. Also, it means that data must go through CPU and can't be transferred through DMA.

    Also, doing it within FS might enable some cool stuff. Like having some files multiple encrypted and so you'd have to have key combo to access them ( like key from computer admin, database owner and user of the database) etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •