Improved Fscrypt Sent In For Linux 5.4 To Offer Better Native File Encryption Handling

Written by Michael Larabel in Linux Storage on 18 September 2019 at 12:09 AM EDT. 4 Comments
In addition to submitting the FS-VERITY file authentication code for Linux 5.4, Google's Eric Biggers has sent out his big update to the fscrypt file encryption framework for this next kernel revision.

Fscrypt as a reminder is a kernel framework providing native file encryption support to file-systems. Currently Fscrypt is used by EXT4, F2FS, and UBIFS while being used by Google for at least new Android use-cases. Fscrypt has been around for several kernel cycles now but for Linux 5.4 is seeing its first big update.

The code proposed for Linux 5.4 better deals with Fscrypt key management and other issues that have come up in the early adoption of this file encryption support. Biggers noted some of the specific improvements:
- Add ioctls that add/remove encryption keys to/from a filesystem-level keyring. These fix user-reported issues where e.g. an encrypted home directory can break NetworkManager, sshd, Docker, etc. because they don't get access to the needed keyring. These ioctls also provide a way to lock encrypted directories that doesn't use the vm.drop_caches sysctl, so is faster, more reliable, and doesn't always need root.

- Add a new encryption policy version ("v2") which switches to a more standard, secure, and flexible key derivation function, and starts verifying that the correct key was supplied before using it. The key derivation improvement is needed for its own sake as well as for ongoing feature work for which the current way is too inflexible.

The Linux desktop and Android user-space software is still being updated to make use of the new/improved functionality. More details via the pull request.
Related News
About The Author
Author picture

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week