Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > First, CephFS already supports fscrypt. Have you looked at how it works and > solves some of these issues? Yes. I've been looking into it very deeply: https://web.git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=ceph-iter I'm not sure which issues you're referring to specifically that you think ceph might have a usable solution, but note that Ceph has the ability to store extra data, such as the "sparse map" that AFS doesn't have, unfortunately. It's not easy to extend AFS because the volume transfer protocol/backup protocol would need to change. And with regard to filename encryption, the traditional AFS directory format has a limit on the maximum directory size, so increasing the size of filenames by a third would be a problem. > Second, per-block keys would be really inefficient and are unnecessary. The > way that fscrypt works is that the keys are (usually) per-file, and within > each file each block has a different IV (initialization vector). That is > sufficient to make each block be encrypted differently. Okay. Sounds good. David
|