On 24/10/2024 03:52, Adrian Vovk wrote: > On Wed, Oct 23, 2024 at 2:57 AM Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote: >> On Fri, Oct 18, 2024 at 11:03:50AM -0400, Adrian Vovk wrote: >>> Sure, but then this way you're encrypting each partition twice. Once by the dm-crypt inside of the partition, and again by the dm-crypt that's under the partition table. This double encryption is ruinous for performance, so it's just not a feasible solution and thus people don't do this. Would be nice if we had the flexibility though. As an encrypted-systems administrator, I would actively expect and require that stacked encryption layers WOULD each encrypt. If I have set up full disk encryption, then as an administrator I expect that to be obeyed without exception, regardless of whether some higher level file system has done encryption already. Anything that allows a higher level to bypass the full disk encryption layer is, in my opinion, a bug and a serious security hole. Regards, Geoff. >> Why do you assume the encryption would happen twice? > I'm not assuming. That's the behavior of dm-crypt without passthrough. > It just encrypts everything that moves through it. If I stack two > layers of dm-crypt on top of each other my data is encrypted twice. > >>>> Because you are now bypassing encryption for certainl LBA ranges in >>>> the file system based on hints/flags for something sitting way above >>>> in the stack. >>>> >>> Well the data is still encrypted. It's just encrypted with a different key. If the attacker has a FDE dump of the disk, the data is still just as inaccessible to them. >> No one knows that it actually is encryped. The lower layer just knows >> the skip encryption flag was set, but it has zero assurance data >> actually was encrypted. > I think it makes sense to require that the data is actually encrypted > whenever the flag is set. Of course there's no way to enforce that > programmatically, but code that sets the flag without making sure the > data gets encrypted some other way wouldn't pass review. > > Alternatively, if I recall correctly it should be possible to just > check if the bio has an attached encryption context. If it has one, > then just pass-through. If it doesn't, then attach your own. No flag > required this way, and dm-default-key would only add encryption iff > the data isn't already encrypted. > > Would either of those solutions be acceptable? > > Best, > Adrian >
