Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Dec 09, 2017 at 04:40:56PM +0100, Geo Kozey wrote:
> > From: Eric Biggers <ebiggers3@xxxxxxxxx>
> > Sent: Fri Dec 08 22:42:13 CET 2017
> > Subject: Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
> > 
> > We can't use authenticated encryption for the same reason we can't use random or
> > sequential nonces: there is nowhere to store the additional metadata
> > (authentication tag and nonce) per filesystem block *and* have it updated
> > atomically with respect to the contents of said block. 
> 
> I saw that LUKS/dm-crypt guys are able to do AE regardless of the same issues[1].
> Is it really impossible for fscrypt?
> 
> [1] http://www.saout.de/pipermail/dm-crypt/2017-November/005745.html
> 

dm-crypt only supports authenticated encryption when it is running on top of
dm-integrity, which emulates a block device that has per-sector tags that can be
used to store the integrity information (nonce and authentication tag).

While it is very cool that they've actually gotten this to work, it is really
more of a proof-of-concept because the per-sector tag emulation is really
inefficient.  Primarily, it has to use data journaling to maintain consistency,
which results in all data having to be written twice.  Very few users are
willing to take that performance hit.

Now, it does have a nice design which is that the per-sector tag support is
abstracted out as an integrity profile which it appears could be used by
filesystems.  So we probably could actually support authenticated encryption
pretty easily in fscrypt, but presently it would only work when the filesystem
was formatted on top of dm-integrity, which means almost no one would use it.

Ideally, in the future there will be *hardware* that supports per-sector tags,
which would then provide the "DM-DIF-EXT-TAG" integrity profile rather than
dm-integrity.  That would make authenticated full-disk encryption, as well as
authenticated encryption of file contents on non-CoW filesystems, actually
practical (albeit without rollback protection).

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-fscrypt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [linux Cryptography]     [Asterisk App Development]     [PJ SIP]     [Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [Linux SCTP]     [DCCP]     [Gimp]     [Yosemite News]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]

  Powered by Linux