Thanks a lot for the detail explanation, Eric. jerry -----Original Message----- From: Eric Biggers <ebiggers@xxxxxxxxxx> Sent: Friday, May 28, 2021 9:26 PM To: Jerry Chung <jchung@xxxxxxxxxxxxxx> Cc: linux-fscrypt@xxxxxxxxxxxxxxx Subject: Re: Is fscrypt encryption FIPS compliant? On Fri, May 28, 2021 at 04:26:56PM +0000, Jerry Chung wrote: > Hi Eric, > > Does fscrypt (kernel part and userspace part) implement any > encryptions by itself? Or is it relying on the kernel crypto API? > > Thanks, > jerry In the kernel part, currently the encryption algorithms are accessed through the kernel crypto API and/or through blk-crypto (the kernel's interface to inline encryption hardware). The hash algorithms SHA-256 and SipHash are accessed through their library interface. The key derivation algorithm HKDF is implemented in fs/crypto/ on top of HMAC-SHA512 from the kernel crypto API. The userspace tool https://urldefense.com/v3/__https://github.com/google/fscrypt__;!!ORgEfCBsr282Fw!57nse74kKZWgPBVTybhzV_-lLBRUeyq3AyR5Ixx2_qIuPXL2aWTxpZBkKmj0Ze2kIQ$ (note, this isn't the only userspace tool that can use the kernel part) uses cryptographic algorithms from third-party Go packages, which get built into the resulting binary. See the source code for details. Note that these are all implementation details, which may differ in past and future versions of the software, both kernel and userspace. - Eric
|