How does it know which block is encrypted with a given key for block-based encryption? I can see how this could be implemented for higher-level filesystem-level encryption but I don't think either the ext4/f2fs approach or the ZFS approach provides incremental rekeying.
Conversation
Replying to
Since dm-crypt is block layer encryption with 1:1 mapping between encrypted blocks and decrypted blocks, it isn't able to do it. It's possible if you actually have proper authenticated encryption but that requires having somewhere to store the extra metadata.
1
Replying to
A working block level FDE would address that before it got off the ground. Like by reserving some blocks out of band for tags.
1
Replying to
The ext2/f2fs encryption approach is essentially still block-based encryption by the way and they still need a global key for metadata. It's entirely possible to use with ONLY a boot passphrase and end result is essentially the same. They do encrypt every block when set up right.
1
The filenames actually get encrypted 2x because they encrypt the metadata blocks with the global key and then also encrypt the filenames with the per-file keys.
They don't currently have proper authenticated encryption in the mainline Linux kernel implementation either though.
2
dm-crypt can be layered on top of dm-integrity which provides the storage for tags. It's a somewhat weird leaky abstraction. It isn't really used that way in practice though, and the higher-level tools aren't doing it yet.
1
1
Replying to
Yeah I think it's a bad layering. Symmetric crypto just should not be used outside an AEAD.
1
Replying to
I think it can actually use AEAD because it's a lossy abstraction where dm-integrity is able to just provide the storage for tags. It's fairly weird and I don't really get why they designed it the way that they did instead of it just being the same thing.
1
1
ZFS had a fairly mature implementation of filesystem layer encryption with authenticated encryption and nicer features than what f2fs/ext4 originally provided. I find it a bit odd that the ext4 developers reinvented it all from the ground up without at least looking at ZFS docs.
1
They made some bad choices for ext4 which have had to be fixed, and it initially provided a very limited feature set. They also haven't bothered to provide proper tooling for it. Android provides that itself. They do have out-of-tree AEAD but it's unclear when it'll be upstream.
ext4/f2fs encryption documentation/tooling they provide for the mainline Linux kernel is very inadequate and they haven't upstreamed FDE support (i.e. metadata encryption) or AEAD even though it's largely made by the ext4 developers themselves.
kernel.org/doc/html/v5.12
Weird.