On Wed, Mar 20, 2019 at 11:39:12AM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > Plaintext dentries are always valid, so only set fscrypt_d_ops on > ciphertext dentries. > > Besides marginally improved performance, this allows overlayfs to use an > fscrypt-encrypted upperdir, provided that all the following are true: > > (1) The fscrypt encryption key is placed in the keyring before > mounting overlayfs, and remains while the overlayfs is mounted. > > (2) The overlayfs workdir uses the same encryption policy. > > (3) No dentries for the ciphertext names of subdirectories have been > created in the upperdir or workdir yet. (Since otherwise > d_splice_alias() will reuse the old dentry with ->d_op set.) > > One potential use case is using an ephemeral encryption key to encrypt > all files created or changed by a container, so that they can be > securely erased ("crypto-shredded") after the container stops. > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> Looks good, applied. - Ted