On Mon, Oct 21, 2024 at 01:11:36PM +0200, Mikulas Patocka wrote: > Hi > > What about using the REQ_META flag (it is set on metadata bios and cleared > on data bios), instead of adding a new flag with the same meaning? > > Mikulas REQ_META is a hint and is not used for all metadata. And while metadata is the main point, more precisely the goal is to encrypt every block that isn't already encrypted. That means that the contents of files that are unencrypted at the filesystem layer are encrypted by dm-default-key too. So technically it's more than just metadata. To avoid recurring "oops, we forgot to encrypt this" bugs, the right model is really an opt-out flag, not opt-in. And especially not opt-in via something that is currently just a hint and is used as such. - Eric
