I previously presented on ext4 encryption at the 2014 Linux Security Summit: http://kernsec.org/wiki/index.php/Linux_Security_Summit_2014/Abstracts/Halcrow http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf Our first prototype implementation has been in Ted Ts'o's unstable git branch since November 2014. My team has made significant progress in the months since, developing encryption policy and file name encryption capabilities. We have completed the first major phase of development and are preparing a patchset to iterate on the prototype. I will present our approach at applying different encryption policies to different segments of the file system via a policy inheritance scheme. I will discuss how file-granular policies can sythesize multiple keys to cryptographically protect files. For example, both logon credentials and off-device keys can together preclude access. This work represents efforts by Ildar Muslukhov. I will also present the challenges involved in file name encryption on a multi-tenant system and will discuss novel solutions spearheaded by Uday Savagaonkar. This approach involves treating the user domain, HTree domain, and disk domains for the file names separately and applying different transformations depending upon whether or not the encryption keys for the file names are available. Finally, I will discuss what our future plans are with respect to encryption with integrity, which will include leveraging ext4 transactions to enforce cryptographic consistency while managing additional per-block authentication data. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
