site  contact  subhomenews

Preliminary support for fscrypt v2

April 29, 2023 — BarryK

The ext4 filesystem supports per-folder encryption, called "fscrypt". This is a feature that can be enabled using the 'tune2fs' utility.

In EasyOS, the working-partition (usually) has fscrypt enabled, and some folders are encrypted. This means, if the drive is stolen, no one will be able to read the contents of those folders.

The advantage of encrypting a folder, compared with a file as may be done in Puppy Linux, is the folder has no size limit, or rather, it is the limit of free space in the partition.

There is a utility name 'e4crypt' in the initrd, that decrypts these folders at bootup. Easy has used this utility up until the present; however, it is what is called "version 1" fscrypt, and has some serious problems with multiple users.

When I took Easy down the path of running apps as separate users, things got complicated. I had to use the 'keyctl' utility for each user to decipher the folders. And recently it got even more complicated with Flatpaks, that run in a sandbox and have great difficulties with recognizing the kernel keys -- meaning unable to access the encrypted folders.

Since the 5.4 kernel, I think about 2020, there has been fscrypt v2, that looks like it might make usage with multiple users much easier. Here is some early information about v2:

https://lwn.net/Articles/788931/

A general introduction to fscrypt is here:

https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html

I have created a variable that is set to "2" for version-2 and anything else for version-1; "EOS_FSCRYPT_VER", that will be found in the 'build-choices' file. That file is at /root/.packages in a running EasyOS and inside the initrd.

So far, have put basic v2 support into the initrd:

https://github.com/bkauler/woofq/commit/2462913db469786c92da0135618de0915ad0cb46

...still needs to be debugged, as got failure at second bootup, but I know the principle of using v2 is ok. It has a new utility, 'fscryptctl', project here:

https://github.com/google/fscryptctl

If I decide to adopt v2, there is a problem, as update from the current Easy release won't work. It won't be able to decrypt the folders encrypted by fscrypt v1.

That won't matter if you bootup without a password, but if you did enter a password at first bootup to encrypt the folders, then you will hit this problem. It will require a new install.

I won't be using v2 for the upcoming Easy 5.2.3. It remains to be seen whether it offers significant improvements, but if it does, will most likely migrate to it. Maybe I can figure out a way to port a v1 Easy installation to v2.  

Tags: easy