Announcement

Collapse
No announcement yet.

Another Attempt At Adding Encryption Support To Btrfs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Another Attempt At Adding Encryption Support To Btrfs

    Phoronix: Another Attempt At Adding Encryption Support To Btrfs

    While the Btrfs file-system supports many next-gen features from SSD optimizations to transparent file-system compression to snapshots, it hasn't natively offered any encryption support. There have been Btrfs encryption attempts in the past, but nothing that has panned out in mainline short of running Btrfs atop dm-crypt. A new patch series was published overnight having another go at adding AES encryption to Btrfs...

    http://www.phoronix.com/scan.php?pag...ncryption-2019

  • #2
    Wow this is great news. I hope this turns into something working. File based encryption is one of the main missing features in modern linux distributions IMO. A setup similar to FileVault with per user keys would be awesome.

    Comment


    • #3
      I really hope they'll keep working on it until it gets mainlined.
      ## VGA ##
      AMD: X1950XTX, HD3870, HD5870
      Intel: GMA45, HD3000 (Core i5 2500K)

      Comment


      • #4
        File based encryption works just fine. Just pipe stuff through openssl or gpg.

        Nice for btrfs.
        I don't have the time to read the patchset so:
        How does this integrate with subvolumes and snapshots?
        Would it allow for per user encrypted subvolumes, opened through PAM?
        cp --reflink=always won't work due to COW being disabled, right?

        Comment


        • #5
          It would be interesting to see the performance compared to dmcrypt as well as what kind of flexibility it has with regard to other fs features like xattr, subvols, snapshots, btrfs send|receive.

          Comment


          • #6
            Originally posted by Serafean View Post
            File based encryption works just fine. Just pipe stuff through openssl or gpg.

            Nice for btrfs.
            I don't have the time to read the patchset so:
            How does this integrate with subvolumes and snapshots?
            Would it allow for per user encrypted subvolumes, opened through PAM?
            cp --reflink=always won't work due to COW being disabled, right?
            The article says COW is enforced. I think it means it's forced enabled in this mode.

            Comment


            • #7
              Originally posted by treba View Post
              Wow this is great news. I hope this turns into something working. File based encryption is one of the main missing features in modern linux distributions IMO. A setup similar to FileVault with per user keys would be awesome.
              I'd like a pre-boot environment where a user can login with their password to decrypt and passes that login along to the login manager.

              Comment


              • #8
                Different cryptographic algorithms have to be implemented independently for each file system which is rather redundant.

                Imagine:
                • You install AES-256 and now it is available for all file systems.
                • You install Brotli and now it is available for all file systems.
                • You install PNG and now it is available in all applications that handles images. GIMP, Eye of GNOME, etc.
                • You install AV1-decoder and now its it available in all applications that playbacks video. Totem, VLC, MPlayer, etc.
                • You install AV1-encoder and now it is available in all video editing applications.
                • You install FLAC and now it is available in all your music player applications.

                Comment


                • #9
                  That's why we have libs and kernel modules, right?

                  Comment


                  • #10
                    Originally posted by uid313 View Post
                    Different cryptographic algorithms have to be implemented independently for each file system which is rather redundant.

                    Imagine:
                    • You install AES-256 and now it is available for all file systems.
                    • You install Brotli and now it is available for all file systems.
                    • You install PNG and now it is available in all applications that handles images. GIMP, Eye of GNOME, etc.
                    • You install AV1-decoder and now its it available in all applications that playbacks video. Totem, VLC, MPlayer, etc.
                    • You install AV1-encoder and now it is available in all video editing applications.
                    • You install FLAC and now it is available in all your music player applications.
                    I think I remember either BeOS or PPC-era AmigaOS having a general OS-wide plugin provider architecture which was used like that... not sure which.

                    Things like GStreamer and DirectShow do it for video and audio and I think Windows might have something less well-known in that vein for encryption algorithms, but I can't think of any such framework for image codecs or compression algorithms in mainstream OSes.
                    Last edited by ssokolow; 01-09-2019, 08:39 AM.

                    Comment

                    Working...
                    X