site
contact
newsPreliminary support for fscrypt v2
The ext4 filesystem supports per-folder encryption, called
"fscrypt". This is a feature that can be enabled using the 'tune2fs'
utility.
In EasyOS, the working-partition (usually) has fscrypt enabled, and
some folders are encrypted. This means, if the drive is stolen, no one
will be able to read the contents of those folders.
The advantage of encrypting a folder, compared with a file as may be
done in Puppy Linux, is the folder has no size limit, or rather, it is
the limit of free space in the partition.
There is a utility name 'e4crypt' in the initrd, that decrypts these
folders at bootup. Easy has used this utility up until the present;
however, it is what is called "version 1" fscrypt, and has some serious
problems with multiple users.
When I took Easy down the path of running apps as separate users,
things got complicated. I had to use the 'keyctl' utility for each user
to decipher the folders. And recently it got even more complicated with
Flatpaks, that run in a sandbox and have great difficulties with
recognizing the kernel keys -- meaning unable to access the encrypted
folders.
Since the 5.4 kernel, I think about 2020, there has been fscrypt v2,
that looks like it might make usage with multiple users much easier.
Here is some early information about v2:
https://lwn.net/Articles/788931/
A general introduction to fscrypt is here:
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html
I have created a variable that is set to "2" for version-2 and
anything else for version-1; "EOS_FSCRYPT_VER", that will be found in
the 'build-choices' file. That file is at /root/.packages in a running
EasyOS and inside the initrd.
So far, have put basic v2 support into the initrd:
https://github.com/bkauler/woofq/commit/2462913db469786c92da0135618de0915ad0cb46
...still needs to be debugged, as got failure at second bootup, but I
know the principle of using v2 is ok. It has a new utility,
'fscryptctl', project here:
https://github.com/google/fscryptctl
If I decide to adopt v2, there is a problem, as update from the
current Easy release won't work. It won't be able to decrypt the folders
encrypted by fscrypt v1.
That won't matter if you bootup without a password, but if you did
enter a password at first bootup to encrypt the folders, then you will
hit this problem. It will require a new install.
I won't be using v2 for the upcoming Easy 5.2.3. It remains to be
seen whether it offers significant improvements, but if it does, will
most likely migrate to it. Maybe I can figure out a way to port a v1
Easy installation to v2.
Tags: easy