On Wed, Oct 23, 2024 at 10:52:06PM -0400, Adrian Vovk wrote: > > Why do you assume the encryption would happen twice? > > I'm not assuming. That's the behavior of dm-crypt without passthrough. > It just encrypts everything that moves through it. If I stack two > layers of dm-crypt on top of each other my data is encrypted twice. Sure. But why would you do that? > > No one knows that it actually is encryped. The lower layer just knows > > the skip encryption flag was set, but it has zero assurance data > > actually was encrypted. > > I think it makes sense to require that the data is actually encrypted > whenever the flag is set. Of course there's no way to enforce that > programmatically, but code that sets the flag without making sure the > data gets encrypted some other way wouldn't pass review. You have a lot of trusted in reviers. But even that doesn't help as the kernel can load code that never passed review. > Alternatively, if I recall correctly it should be possible to just > check if the bio has an attached encryption context. If it has one, > then just pass-through. If it doesn't, then attach your own. No flag > required this way, and dm-default-key would only add encryption iff > the data isn't already encrypted. That at least sounds a little better. But it still doesn't answer why we need this hack instead always encrypting at one layer instead of splitting it up.
