On Thu, Dec 5, 2019 at 8:04 AM Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > If you use LUKS/dm-crypt without dm-integrity and you have a clue > where things are located then you can change files without anything > being able to detect that. (On btrfs you might have some luck, since > it has data checksumming, but ext4 and other traditional file systems > do not). xxhash, sha256, and blake2 coming to Btrfs in kernel 5.5, with online conversion between them. > And it's easier to figure out where stuff is located then you might > think since we live in a world where people use SSDs and mount file > systems with "discard", so that what are used blocks and what are free > blocks is propagated to the underlying device. Moreover file systems > write in certain patterns, i.e. try to keep large files in one stream > together, put files in the same directories adjacent to each other and > so on, and are usually roughly reproducible. Fedora install time default for LUKS encrypted volumes is to unlocked with cryptsetup open --allow-discards, which is set in /etc/crypttab by using the discard option. This is since Fedora 27. https://fedoraproject.org/wiki/Changes/EnableTrimOnDmCrypt However, the installer doesn't enable the discard mount option for any file system in /etc/fstab, and fstrim.timer is disabled by default. Therefore the feature is a no op for most users, who are unlikely to enable file system discards using either method. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
