Linux's FSCRYPT Working On Encryption + Case-Insensitive Support
FSCRYPT as the file-system encryption framework for the Linux kernel and is currently wired up for EXT4, F2FS, and UBIFS to offer native encryption capabilities is currently seeing improvements so the separate casefolding (case-insensitive) file/folder support can work on encrypted directories.
FSCRYPT is already quite versatile since being introduced to the mainline Linux kernel a few years ago and wired up most notably for EXT4 and F2FS. With Linux 5.2 though EXT4 saw optional, per-directory case-insensitive support and following that was also extended to F2FS.
One of the limitations though of the FSCRYPT file encryption support up to this point, however, is that it hasn't worked with the casefolding code for file/folder case insensitivity. That though is changing and possibly for Linux 5.7 will be squared away so both features can work concurrently.
The FSCRYPT code currently has a wip-fscrypt-casefold branch where work is being queued on supporting case-folding in tandem with FSCRYPT-based encryption.
This introduces a new file-system agnostic generic UTF8 case-folding functions in the common Linux file-system area and subsequently wires up EXT4 and F2FS to make use of that new code. As for handling both case-folding and encryption, "This expands f2fs's casefolding support to include encrypted directories. For encrypted directories, we use the siphash of the casefolded name. This ensures there is no direct way to go from an unencrypted name to the stored hash on disk without knowledge of the encryption policy keys."
These work-in-progress patches are being led by Google's Daniel Rosenberg.
FSCRYPT is already quite versatile since being introduced to the mainline Linux kernel a few years ago and wired up most notably for EXT4 and F2FS. With Linux 5.2 though EXT4 saw optional, per-directory case-insensitive support and following that was also extended to F2FS.
One of the limitations though of the FSCRYPT file encryption support up to this point, however, is that it hasn't worked with the casefolding code for file/folder case insensitivity. That though is changing and possibly for Linux 5.7 will be squared away so both features can work concurrently.
The FSCRYPT code currently has a wip-fscrypt-casefold branch where work is being queued on supporting case-folding in tandem with FSCRYPT-based encryption.
This introduces a new file-system agnostic generic UTF8 case-folding functions in the common Linux file-system area and subsequently wires up EXT4 and F2FS to make use of that new code. As for handling both case-folding and encryption, "This expands f2fs's casefolding support to include encrypted directories. For encrypted directories, we use the siphash of the casefolded name. This ensures there is no direct way to go from an unencrypted name to the stored hash on disk without knowledge of the encryption policy keys."
These work-in-progress patches are being led by Google's Daniel Rosenberg.
3 Comments