Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

ext4 native full disk encryption on Linux >= 4.1 ?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium
PostPosted: Wed Oct 28, 2015 11:06 am    Post subject: ext4 native full disk encryption on Linux >= 4.1 ? Reply with quote
Hi there !

So since Linux 4.1, file-system level encryption has been added to the ext4 filesystem, removing the need to do a setup with dm-crypt/LUKS.

It also mark the 1st time a major Linux filesystem has native encryption support, yay ! :D

It depends on :

Linux >= 4.1 with CONFIG_KEYS and CONFIG_EXT4_FS_ENCRYPTION
e2fsprogs >= 1.43 from Git

I'm definitely tempted to try it out soon and to share my experience with everyone ( be it here or on a dedicated wiki page ) but I still have a few questions, namely :

* Is it possible to encrypt the whole drive ?

So far I've read that it works only (?) on directories, fair enough, so in theory I could encrypt / but the "whole" drive wouldn't be encrypted, not sure if it matters

* Is it possible to create and ext4 encrypted partition then to dump a disk image (made by dd) in order to migrate from unencrypted ext4 to encrypted ?

I guess not since dd will "copy" the filesystem as well (when I do file(1) filesystem_image_name, file(1) report the file being and ext4 filesystem) so maybe it's better to do it with rsync.

So, has anyone played with it so far on Gentoo or elsewhere ?

Further reading :

* Stackexchange thread about it
* lwn article
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Wed Oct 28, 2015 11:42 am    Post subject: Re: ext4 native full disk encryption on Linux >= 4.1 ? Reply with quote
Myu wrote:
Is it possible to encrypt the whole drive ?


It encrypts files and directories. So if you use it from the start, that's kind of as whole as it gets.

Myu wrote:
Is it possible to create and ext4 encrypted partition then to dump a disk image (made by dd) in order to migrate from unencrypted ext4 to encrypted ?


It's a filesystem so you want to copy files using cp / rsync / ... and not dd which copies block devices (below the file system layer).

If an encrypted block device is what you want you have to stick with LUKS.

Given a choice between ext4 encryption and LUKS, when the goal is to be full disk encryption, I'd always recommend LUKS.
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium
PostPosted: Wed Oct 28, 2015 12:09 pm    Post subject: Reply with quote
Quote:
It encrypts files and directories. So if you use it from the start, that's kind of as whole as it gets.


Ok so I would need to create it with mkfs.ext4 -O encrypt I guess, which comes from e2fsprogs 1.43-WIP.

I'm not sure yet if it's possible to set / as the "encrypted directory"' as, on the Stackexchange thread, the user create a subdirectory where the encryption wille take place.

Code:
    sudo mkdir -p /secret/home/$USER
...
/usr/sbin/e4crypt add_key -S `cat ~/.cryptoSalt` /secret/home/$USER


Quote:
Given a choice between ext4 encryption and LUKS, when the goal is to be full disk encryption, I'd always recommend LUKS.


Maybe I should really try it out before saying anything but the setup but it seems more convulated, I would like to keep it simple and stay without an initramfs, also, it's way more elegant to get native encryption.

That being said, I use LUKS with Linux Mint 17.2 on my laptop and it works really fine.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Wed Oct 28, 2015 12:17 pm    Post subject: Reply with quote
Myu wrote:
I would like to keep it simple and stay without an initramfs


You still need an initramfs, in the full disk encryption case. The key for / has to come from somewhere. And you'll probably have to make it custom or at least write your own hook as it won't be covered by the standard initramfs generators yet.

It may work without initramfs for the case where only the home directory is encrypted. Which is the primary purpose of ext4 encryption anyway, it's a replacement for ecryptfs/encfs, not LUKS.

Quote:
it's way more elegant to get native encryption.


I do not understand why people consider it 'elegant' to add all this complexity into filesystems. Filesystems are already plenty complex just by doing regular files and nothing else. If you add encryption, raid, lvm, cow, compression, and all that other crap to it, it just means more things to go horribly wrong.
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium
PostPosted: Wed Oct 28, 2015 1:08 pm    Post subject: Reply with quote
Quote:
It may work without initramfs for the case where only the home directory is encrypted. Which is the primary purpose of ext4 encryption anyway, it's a replacement for ecryptfs/encfs, not LUKS.


That's interesting because I really thought about ext4 encryption as a solution for the whole drive. Looks like I'll need to read stuff about LUKS again, thanks for the heads up :)

Quote:
I do not understand why people consider it 'elegant' to add all this complexity into filesystems


Well in any case if you need encryption, you'll add complexity and LUKS is an additional layer while ext4 native encryption is just another feature of ext4, that's why it looks more elegant to me.

Quote:
If you add encryption, raid, lvm, cow, compression, and all that other crap to it, it just means more things to go horribly wrong.


On paper yes but I trust that Google's engineers are pretty skilled at what they do, given at which scale they plan to release this feature.

Take ZFS for instance, it has an impressive feature-set, yet is recognized as an highly stable filesystem.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
PostPosted: Wed Oct 28, 2015 3:07 pm    Post subject: Reply with quote
there are always bugs.

go ahead and use some untested code.

ext4 had some issues and i am happy that i survived that.

data corruption is never something which i want or aim at, and therfore luks is the more proven solution.

this solution may come for those who just want to encrypt their stuff on the fly. and maybe for those smartphones because google now requires with their newest version that the phone gets encrypted. makes it worse to get off the user data later just in case.

it may be relyable to use it in a few years but as of now i will stay away
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy