backup/restore of fscrypt files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Currently it is not possible to do backup/restore of fscrypted files without the
encryption key for a number of reasons.  However, it is desirable to be able to
backup/restore filesystems with encrypted files for numerous reasons.

My understanding is that there are two significant obstacles for this to work:
- the file size reported to userspace for an encrypted file is the "real" file size,
  but there is data stored beyond "i_size" that is required for decrypting the file
- the per-inode 16-byte nonce that would need to be backed up and restored for
  later decryption to be possible

I'm wondering if it makes sense for stat() to report the size rounded up to the end
of the encryption block for encrypted files, and then report the "real" size and
nonce in virtual xattrs (e.g. "trusted.fscrypt_size" and "trusted.fscrypt_nonce")
so that encrypted files can be backed up and restored using normal utilities like
tar and rsync if the xattrs are also copied.

A (small) added benefit of rounding the size of encrypted files up to the end of the
encryption block is that it makes fingerprinting of files by their size a bit harder.
Changing the size returned by stat() is not (IMHO) problematic, since it is not
currently possible to directly read encrypted files without the key anyway.


The use of "trusted" xattrs would limit the backup/restore of encrypted files to
privileged users.  We could use "user" xattrs to allow backup by non-root users, but
that would re-expose the real file size to userspace (not worse than today), and
would corrupt the file if the size or nonce xattrs were modified by the user.

It isn't clear whether there is a huge benefit of users to be able to backup/restore
their own files while encrypted.  For single-user systems, the user will have root
access anyway, while administrators of multi-user systems need privileged access for
shared filesystems backup/restore anyway.

I'm probably missing some issues here, but hopefully this isn't an intractable problem.

Cheers, Andreas

Attachment: signature.asc
Description: Message signed with OpenPGP

[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux