Announcement

Collapse
No announcement yet.

EXT4 Might Work On Transparent Encryption Support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Pajn View Post
    I can't see any reason for this over LUKS.
    For file-systems like ZFS and Btrfs yes, but EXT no.
    Unless there's a huge performance win in having FS-level encryption - I fail to see why *any* FS should have its own encryption support.
    Instead of solving security and performance issues in one layer (dm-crypt) you are now forced to solve the same (?) issue across different FS' (ext4-crypt, btrfs-crypt, etc).
    Granted, all FS' can share the same crypto code and implement it differently on disk - but this will be more-or-less the same as improving dm-crypt (which in the case of btrfs COW, may be a hard requirement).

    - Gilboa
    oVirt-HV1: Intel S2600C0, 2xE5-2658V2, 128GB, 8x2TB, 4x480GB SSD, GTX1080 (to-VM), Dell U3219Q, U2415, U2412M.
    oVirt-HV2: Intel S2400GP2, 2xE5-2448L, 120GB, 8x2TB, 4x480GB SSD, GTX730 (to-VM).
    oVirt-HV3: Gigabyte B85M-HD3, E3-1245V3, 32GB, 4x1TB, 2x480GB SSD, GTX980 (to-VM).
    Devel-2: Asus H110M-K, i5-6500, 16GB, 3x1TB + 128GB-SSD, F33.

    Comment


    • #12
      Originally posted by jaxxed View Post
      Using LUKs with ZFS and BTRFS is not great for the perfomance/stability, but it is also a pain for the user in any multi-disk case. You have to have separate LUKS paritions, and end up repeatedly entering LUKS passhrases.
      Seems to be distro specific issue.
      At least in Fedora and RHEL/CentOS (Plymouth), the initial password is used to unlock all crypto partitions.
      You get a second prompt only if the initial password fails.

      - Gilboa
      oVirt-HV1: Intel S2600C0, 2xE5-2658V2, 128GB, 8x2TB, 4x480GB SSD, GTX1080 (to-VM), Dell U3219Q, U2415, U2412M.
      oVirt-HV2: Intel S2400GP2, 2xE5-2448L, 120GB, 8x2TB, 4x480GB SSD, GTX730 (to-VM).
      oVirt-HV3: Gigabyte B85M-HD3, E3-1245V3, 32GB, 4x1TB, 2x480GB SSD, GTX980 (to-VM).
      Devel-2: Asus H110M-K, i5-6500, 16GB, 3x1TB + 128GB-SSD, F33.

      Comment


      • #13
        Originally posted by zxy_thf View Post
        I don't see the point to replace full-disk encryption(luks) with fs-level encryption (e.g. eCryptfs). They are two different things.
        As we can see, MS Windows supports the both; NTFS has supported EFS for a while (since 2000?), and they still introduced BitLocker in Vista.

        In most cases fs-level encryption only protects the content of files, but not the metadata of files. For security reasons I prefer full-disk encryption, esp. with AES-NI hardware it's nearly free.
        I'd say it depends. For many applications I don't really need crypto everywhere, just on sensitive data.

        AES hardware is fine but it has its limits. Also, it means that data must go through CPU and can't be transferred through DMA.

        Also, doing it within FS might enable some cool stuff. Like having some files multiple encrypted and so you'd have to have key combo to access them ( like key from computer admin, database owner and user of the database) etc.

        Comment

        Working...
        X