|
|
Subscribe / Log in / New account

Ext4 encryption

By Jonathan Corbet
April 8, 2015
For reasons that should be reasonably obvious, there is an increasing level of awareness of the wisdom of encrypting sensitive data stored on devices — especially on devices that, like a phone handset, are easily stolen or lost. In current kernels, encrypting a filesystem requires the use of an add-on module like eCryptfs or dm-crypt. These modules work, but they can have an adverse effect on filesystem performance as a result of the way they are implemented. Performance is important; problems in this area are widely cited as the reason for Google's decision to back off from its plan to encrypt filesystems by default in the Android "Lollipop" release. Linux might be able to provide a filesystem with better performance if encryption were built into the filesystem itself, but, currently, not even Btrfs has encryption as an option.

Change is afoot, however; it takes the form of a set of patches adding encryption to the ext4 filesystem. They were posted by ext4 maintainer Ted Ts'o, but the lead developer behind the work is Michael Halcrow — the same developer who added eCryptfs to the kernel ten years ago. The ext4 work, though, reflects some of the lessons that have been learned in the meantime.

Performance suffers in eCryptfs as a result of the stacked nature of the filesystem. Imagine a system running eCryptfs over ext4 now; if a process wants to read a page from an encrypted file, eCryptfs must first instruct ext4 to read that page into the page cache. It then decrypts the data — into another page-cache page. The extra copies of the data can consume a lot of memory and slow things down unnecessarily. Putting encryption support directly into ext4 can eliminate much of that waste.

Encryption in ext4 is a per-directory-tree affair. One starts by setting an encryption policy (using an ioctl() call) for a given directory, which must be empty at the time; that policy includes a master key used for all files and directories stored below the target directory. Each individual file is encrypted with its own key, which is derived from the master key and a per-file random nonce value (which is stored in an extended attribute attached to the file's inode). File names and symbolic links are also encrypted.

The keys used by processes to access the encrypted directory tree are stored in the kernel's keyring as "logon" keys, meaning that user space can create them, but it is not allowed to read the value of the keys. (The kernel's key-management functionality is beyond the scope of this article; see Documentation/security/keys.txt for an overview of how it works). If a user-space process has the requisite master key in its per-process keyring, it can access an encrypted directory as usual. In the absence of the key, though, things are different. Directories can still be read (if the normal permissions and security module policy allow, of course), but the file names will all be encrypted, so the result may not be particularly satisfying. It will be possible to determine how many files are in the directory, their sizes, and their permissions, but not their names or contents. Attempts to open a file (for read or write) without access to the key will simply fail. It is still possible to delete encrypted files, though, if the permissions allow.

If a process with access to the appropriate key reads a page from a file, the filesystem code starts by allocating a separate bounce buffer. The encrypted data is read into the buffer, then decrypted into the page cache. Writes work similarly: the page being written is read from persistent storage and decrypted if necessary; then the new data is written, the data is encrypted into a bounce buffer, and written to permanent storage. Some extra memory is used during the actual encryption and decryption operations, but then it is immediately returned to the system, so overall memory use is significantly reduced relative to eCryptfs or dm-crypt.

Keeping the plain text of an encrypted file in memory has some obvious risks associated with it; if an attacker can get at that memory, all of the work put into encrypting the file on disk is for nothing. To an extent that risk just has to be accepted; the developers are not attempting to make a system that is resistant to attacks when it is hibernated, for example. Still, efforts have been made to clear plain-text data out of memory when it is no longer needed in an attempt to mitigate that risk somewhat. The developers note, though, that if an attacker can make changes to an encrypted filesystem that is subsequently mounted by the user, all bets are off. So ext4 encryption can protect a lost or stolen device, but protecting a device that has been covertly modified is beyond its threat model.

The code currently uses AES-256-XTS as the encryption algorithm for file contents, while AES-256-CBC+CTS is used for file names. The code is designed with the idea that, at some point, it will be desirable to change to a different encryption scheme; care has been taken to avoid wiring the specific algorithm too deeply into the filesystem.

While Google prefers ext4 as the filesystem to use on Android systems, not all Android devices use it. So it is worth noting that Ted has been talking with the maintainer of the F2FS flash-oriented filesystem to get the same ioctl() interfaces implemented there. That would allow Android systems to use encrypted storage on either filesystem without the need for any filesystem-specific code.

This code is marked as experimental in the current patch set, but it may not stay that way for long. There is already user-space code to make use of this feature in the Android open-source repository, and, according to Ted, it will be included in the next major Android release. As of this writing, it has also found its way into linux-next, suggesting that it is intended for the 4.1 merge window. Some developers think that may be premature, though, since the code has just now surfaced. Filesystem changes in general merit a high level of review, given the severe consequences of getting something wrong at that level of the system. Security-relevant code needs even more review, of course. Until that review has happened, developers may well feel nervous about shipping these particular changes in a mainline kernel release.

This obstacle will likely be overcome before too long; at that point Linux will have native encryption support in a major filesystem for the first time. In a period where many people are concerned about the security of their data, that can only be a good thing.

(See this document for some more information on the design of the ext4 encryption mechanism).

Index entries for this article
KernelFilesystems/ext4
KernelSecurity/Filesystem encryption
SecurityEncryption/Filesystems

to post comments

Ext4 encryption

Posted Apr 9, 2015 7:07 UTC (Thu) by bunch (subscriber, #18522) [Link] (17 responses)

Even if I see why eCryptfs would increase memory usage, I don't see why using dm-crypt would have worst performances than Ext4 encryption.

Since blocks are deciphered before hitting the FS layer, it could use the same mechanism (temporary disk buffers) as Ext4 encryption.

Ext4 encryption

Posted Apr 9, 2015 12:44 UTC (Thu) by felixfix (subscriber, #242) [Link]

Is it a matter of which pages are used for the decryption? If, say, an internal buffer is used in one method while a mapped page is used in the other, the internal buffer could be a bottleneck requiring a lock, while the mapped page may cause a dirty page to be flushed.

I am just brainstorming, no idea of what I am talking about. Please be gentle :-)

Ext4 encryption

Posted Apr 9, 2015 13:41 UTC (Thu) by msnitzer (subscriber, #57232) [Link] (12 responses)

As the primary DM maintainer I've yet to see a single report about dm-crypt performance being a pain point for android. Yet ext4 developers have gotten to a point where AOSP changes were introduced to use their newly crafted encryption support. Amazing really.

Ext4 encryption

Posted Apr 9, 2015 15:49 UTC (Thu) by pr1268 (subscriber, #24648) [Link] (6 responses)

Are you suggesting that the Android folks ignored your (presumably serviceable and efficient) DM-Crypt code and decided to write their own?

I'm not trying to ruffle feathers here; I'm sincerely curious why a community of developers would go out and re-invent the wheel. Kinda like how we're up to 1500 programming languages—because whoever wrote the Nth programming language did so because the other N-1 were "broken". Sigh.

Or...

<CONSPIRACY THEORY>Your DM code lacks a back door.</CONSPIRACY THEORY> (hint, hint!)

Perhaps I'm comparing apples and oranges with the programming languages analogy, but my jaded attitude towards the plethora of languages is real.

Ext4 encryption

Posted Apr 9, 2015 16:08 UTC (Thu) by msnitzer (subscriber, #57232) [Link] (1 responses)

I really have no idea. Filesystems yielding functionality to block devices tends to make filesystem developers uneasy (any excuse to avoid it). Fosters NIH syndrome. But to be fair, there are efficiencies to be had with a filesystem natively providing functionality. Same efficiencies can be had with fs+block integration but it takes more work/coordination that is less comfortable for filesystem developers.

I'm not convinced there isn't a way to make dm-crypt work perfectly well for andoid's needs -- but that is purely my naive position considering I'm uninformed about their motivations/requirements.

Ext4 encryption

Posted May 22, 2015 9:59 UTC (Fri) by xnox (guest, #63320) [Link]

http://nelenkov.blogspot.ru/2012/07/using-app-encryption-...

Ext4 encryption

Posted May 27, 2015 5:37 UTC (Wed) by geofft (subscriber, #59789) [Link] (3 responses)

dm-crypt is block-level encryption, not filesystem-level encryption. This means that you cannot add any bytes in the process of encrypting it. This means that your encryption is not authenticated, and unauthenticated encryption is generally a major mistake.

dm-crypt is very good at what it does, but what it does is necessarily incomplete by the nature of the problem. There are (limited) use cases for unauthenticated disk encryption, and dm-crypt is great for those, but if you can do authenticated encryption, you should. It's sorta like unsalted, unstretched passwords: SHA-512 is a fantastic hash function, but using it as a password storage scheme makes for a bad password storage scheme.

I see your conspiracy theory and raise you "The NSA is sending shills into comment sections to complain about people writing good cryptosystems instead of reusing the bad cryptosystems they already know how to break."

Ext4 encryption

Posted May 27, 2015 16:10 UTC (Wed) by flussence (guest, #85566) [Link] (1 responses)

I can think of a more mundane explanation: Android devices have all the software necessary to flip dm-crypt usage on/off in-place, but lack the hardware (battery capacity) to do it safely.

Ext4 encryption

Posted Jun 22, 2015 17:09 UTC (Mon) by luto (subscriber, #39314) [Link]

It would be straightforward to do it in place in a resumable fashion using a mix of dm-crypt, dm-linear, and whatever the dm target that delays IO is. All you'd need to do is have a little bit of spare space and some user code.

Ext4 encryption

Posted May 27, 2015 18:26 UTC (Wed) by kmeyer (subscriber, #50720) [Link]

> dm-crypt is block-level encryption, not filesystem-level encryption. This means that you cannot add any bytes in the process of encrypting it. This means that your encryption is not authenticated, and unauthenticated encryption is generally a major mistake.

Ext4's new encryption mode, as described, is equally unauthenticated -- it is not designed to be resilient against covert modifications to the ciphertext.

Ext4 encryption

Posted Apr 10, 2015 21:57 UTC (Fri) by mhalcrow (guest, #17371) [Link]

Mike, as you suggest, I don't expect we'll be able to realize a significant performance boost for raw unauthenticated (XTS) encryption by doing it in ext4 rather than the block layer.

Down the road, I do think we'll be able to implement authenticated encryption more easily than a dm layer mechanism will, because we've got existing transactional facilities to give us consistency between the crypto metadata and the ciphertext, and we expect to get per-block metadata support from Mingming when it's ready. I've got a roadmap for that, but we're taking this one step at a time and doing unauthenticated crypto first.

Once we start talking about managing additional per-block metadata with transactional semantics, we're pretty far into "file system" territory. With that extra data, we'll need to make some decisions around I/O patterns, memory usage, and so forth. The file system is the best place to manage that sort of complexity.

If you've got a single-user laptop that's subject to being left in a taxi, FDE like dm-crypt makes a lot of sense.

If it's more complicated than the single-user laptop story, you often need to jump through hoops to make it work with FDE. Pushing a key into the keyring and setting a policy on a directory for an existing file system vastly simplifies many scenarios. Multi-user environments such as Android, Chrome OS, and Cloud servers are targets for encryption that can be selectively enabled and managed on shared live mounted file systems with multiple users.

Ext4 encryption

Posted Apr 12, 2015 5:46 UTC (Sun) by hobarrera (guest, #101888) [Link] (2 responses)

From what I can well, these changes allow per-directory-tree keys/passwords. Can dm-crypt do that? Maybe the Android folks needed/wanted that for some reason or another (I can't guess why, though).

Ext4 encryption

Posted Apr 14, 2015 17:38 UTC (Tue) by chloe_zen (guest, #8258) [Link] (1 responses)

One of the weaknesses of full-disk encryption is that once any user logs in the whole disk is effectively in plaintext; all an attacker needs is privilege escalation. Directory tree encryption is *the* killer feature here.

Ext4 encryption

Posted Jun 26, 2015 12:44 UTC (Fri) by yoshi314 (guest, #36190) [Link]

separate encryption per each user-profile, that's one use case i am thinking about.

Ext4 encryption

Posted Jun 22, 2015 16:18 UTC (Mon) by mirabilos (subscriber, #84359) [Link]

Oh!

Now that’s… puzzling.

They have different use cases of course: a per-file nonce instead of a per-block nonce, and differing keys, which is kinda neat, but I’d actually expect dmcrypt to perform *better*.

Ext4 encryption

Posted Apr 9, 2015 18:25 UTC (Thu) by job (guest, #670) [Link] (1 responses)

I agree. I don't understand why dm-crypt and ecryptfs are lumped together in the article, neither what the use case of only encrypting file name and contents is. Is it for unauthenticated users to be able to delete files?

Corbet's articles are usually much more enlightening. How about a follow up article, with a little more details?

Ext4 encryption

Posted Apr 10, 2015 22:00 UTC (Fri) by mhalcrow (guest, #17371) [Link]

It is for users without the key to be able to delete files. In one scenario, the Chromium OS user cache management system needs to be able to delete other users' cache files while they aren't logged in. That's why they're using eCryptfs for the user cache right now.

Ext4 encryption

Posted Apr 12, 2015 5:45 UTC (Sun) by tytso (guest, #9993) [Link]

Yeah, this article is missing a few bits of context.

There are two major advantages of doing encryption in at the file system level.

1) We don't have to worry about encrypted and unencrypted pages hanging around in the page cache. We do need to use bounce pages on the writepage path, but they get released right after the I/O is complete. This is a bit harder to handle with ecryptfs because it uses a stacking file system paradigm.

2) We can use multiple keys so that each user and/or work profile can be encrypted with a single key. This is something you can't do with dm-crypt, and it's important if you want to be able to flexibly share space between multiple users who are mutually suspicious with each other. In the chrome OS case, the user who is logged in can send a request to a root daemon for more disk space (if free disk space is running low), and the root daemon can delete files from that cache directory of some other user who is currently not logged in.

Ext4 encryption

Posted Apr 9, 2015 8:27 UTC (Thu) by meskio (guest, #100774) [Link] (4 responses)

Nice to see encryption as part of the filesystem itself. But I'm worry to see that it leaks sizes and hierarchy of files, in some cases this might be as bad as leaking the content of the files. We'll need to keep relying in dm-crypt for full disk encryption.

Ext4 encryption

Posted Apr 9, 2015 22:15 UTC (Thu) by reubenhwk (guest, #75803) [Link] (3 responses)

I didn't catch whether or not it encrypts xattrs. I also missed a bit about modification of the encrypted data. Are they not using MACs to ensure the data hasn't been changed?

Ext4 encryption

Posted Apr 10, 2015 22:04 UTC (Fri) by mhalcrow (guest, #17371) [Link] (1 responses)

Encryption with authentication should happen and is on my road map. But it's also hard to get right, and we don't have the facilities in place yet to give us per-block metadata with transactional semantics. I think we'll have it before too long though. Jonathan was careful to discuss the adversarial model in his writeup, and that's important to keep in mind when making a decision about whether or how to use this feature.

Ext4 encryption

Posted Apr 11, 2015 16:30 UTC (Sat) by Trou.fr (subscriber, #26289) [Link]

Ah, thank you for the update. I must admit I don't really see much to gain by using ext4 encryption vs dm-crypt if you don't get authentication.

I really look forward for a version with auth, it would be quite useful for homedirs.

Ext4 encryption

Posted May 20, 2018 11:23 UTC (Sun) by e4crypt (guest, #124524) [Link]

I didn't catch whether or not it encrypts xattrs.

It doesn't. Extended attributes are plain-text. Even if there is no key in the keyring and the file contents are not accessible, everyone can still read xattrs.

This is a major security hole on personal devices. Some very popular applications set extended attributes on files (even though mostly this information remains untouched). The most notable culprits are: Chrome/chromium and Wget. 

# truncate -s 2G storage
# mkfs.ext4 storage
# tune2fs -O encrypt storage
# mkdir mountpoint
# mount storage mountpoint
# cd mountpoint
# mkdir protected
# e4crypt add_key protected
# cd protected
# wget https://static.lwn.net/images/logo/barepenguin-70.png
# getfattr -d barepenguin-70.png
> # file: barepenguin-70.png
> user.xdg.origin.url="https://static.lwn.net/images/logo/barepenguin-70.png"
# cd ../..
# umount mountpoint
# e4crypt new_session
# mount storage mountpoint
# getfattr -d mountpoint/protected/w6W9jZ+I2d62uybxftwuHt4,M3N
> # file: mountpoint/protected/w6W9jZ+I2d62uybxftwuHt4,M3N
> user.xdg.origin.url="https://static.lwn.net/images/logo/barepenguin-70.png"

To protect against such an obvious leak, I suggest the following workaround. Obviously, it could be much better if extended attributes were stored encrypted along with file contents.

Mount a filesystem with an option "nouser_xattr" set. This will protect against "accidental" setting of extended attributes by applications. Note the downside of this approach: the option can only be set per mountpoint, meaning that user extended attributes will be disabled across the filesystem, not only in protected paths. 

# mount -o nouser_xattr storage mountpoint

But for the time being, ext4 filesystem encryption support seems to be more well-suited to protect mail spool directories and proprietary software on Git shared hosting. It is a bit premature to speak about desktop/end-user readiness.

May 2018. Tested with kernel 4.14.40 and e2fsprogs 1.44.1.

Ext4 encryption

Posted Apr 9, 2015 10:47 UTC (Thu) by Trou.fr (subscriber, #26289) [Link] (2 responses)

I am concerned that the proposal doesn't include authentication of encrypted data. Filesystems have way more flexibility than whole disk encryption scheme. While AES-GCM is not directly usable in such context, it can be adapted and used (as ZFS does : https://blogs.oracle.com/darren/entry/zfs_encryption_what...) to provide authentication.

Note that not authenticating data opens to pretty serious attacks : by (blindly) modifying binaries in a correct way, one can get root access to the system once booted.

So I guess this proposal needs more work before the devs commit to an on-disk format with such limitations.

Ext4 encryption

Posted Apr 9, 2015 22:17 UTC (Thu) by reubenhwk (guest, #75803) [Link]

I was wondering the same thing. Encryption is good, but using encryption wrong is very bad. It gives a false sense of security.

Without using some sort of Message Authentication Code (MAC), they may as well not use encryption at all.

Ext4 encryption

Posted Apr 10, 2015 22:08 UTC (Fri) by mhalcrow (guest, #17371) [Link]

The design and Jonathan's writeup both make the adversarial model for the current incarnation of this feature clear. When facilities are in place to allow us to implement encryption with integrity reliably and efficiently, we'll be able to incorporate that into what we've already built. We shouldn't hold up the existing functionality for the existing declared adversarial model in the meantime.

Ext4 encryption

Posted Apr 9, 2015 10:51 UTC (Thu) by jem (subscriber, #24231) [Link] (6 responses)

If the encryption is per-directory-tree I wonder how the design takes into account links to files that appear on both sides of the directory boundary. What happens when a file is moved into or out of the encrypted directory?

File names have traditionally been decoupled from the actual file objects. The model is that there is a many-to-one unidirectional mapping from file names to inodes. The actual files do not know what they are called or where in the directory tree they are linked from, and can be linked from more than one place in the file system.

Are we gradually getting rid of this model?

Ext4 encryption

Posted Apr 9, 2015 14:03 UTC (Thu) by cortana (subscriber, #24596) [Link]

Maybe attempts to cross-encrypted-directory-tree hardlinks should be made to fail? I would also be interested to know how files being moved in/out works.

Ext4 encryption

Posted Apr 9, 2015 15:41 UTC (Thu) by fandingo (guest, #67019) [Link] (4 responses)

> If the encryption is per-directory-tree I wonder how the design takes into account links to files that appear on both sides of the directory boundary.

In the case of symlinks, there's two encryption policies. The symlink itself has its contents (the link destination URI) encrypted, and the destination is also encrypted. If a user only has crypto access to the link source, she gets back an encrypted hash when accessing the destination.

The penultimate page in the design doc (https://docs.google.com/document/d/1ft26lUQyuSpiu6VleP70_...) covers how symlinks are handled.

> What happens when a file is moved into or out of the encrypted directory?

It is rewritten according to the crypto policy on the destination.

> Are we gradually getting rid of this model?

No. File names and data are still separate. They're encrypted separately, even using different AES modes to provide the best crypto performance while maintaining high security for data length (CBC is faster but has some weaknesses when a single key is used for massive amounts of data, which isn't a concern with file names).

I don't see any departure from how file system structures have worked in the past.

Ext4 encryption

Posted Apr 9, 2015 16:09 UTC (Thu) by viro (subscriber, #7872) [Link]

man 2 link
man 2 rename
then reread what you'd been replying to. Note, BTW, that renaming an opened file is perfectly legal and should not disrupt an ongoing IO...

Ext4 encryption

Posted Apr 9, 2015 16:31 UTC (Thu) by jem (subscriber, #24231) [Link] (2 responses)

> In the case of symlinks, there's two encryption policies. The symlink
> itself has its contents (the link destination URI) encrypted, and the
> destination is also encrypted. If a user only has crypto access to the
> link source, she gets back an encrypted hash when accessing the
> destination.

Sigh. I should have pointed out that I meant hard links. Symlinks are not interesting.

>> What happens when a file is moved into or out of the encrypted directory?

> It is rewritten according to the crypto policy on the destination.

Ok, so what happens if I make a link to an encrypted file so that there exists a (hard) link to it both inside the encrypted directory and outside of it? Or if I make a (hard) link to a non-encrypted file that appears below the encrypted directory?

> I don't see any departure from how file system structures have worked in the past.

Well, in the "good old days" files in a file system were not arranged hierarchically, but existed as a flat collection where each file was referenced by inode number. On top of that we had directories mapping names to inodes. In the really good old days a directory was not much more than a file containing records each containing an inode number and a string giving the name of the file.

The same file could have several names in the same directory or any other directories within the same file system. The file object itself had no knowledge of under which name and from which directories it was referenced from. In fact, a file might not have a name at all but still exist. As long as the file is open for a process, you can delete it from all directories and still read or write to it.

Ext4 encryption

Posted Apr 16, 2015 0:25 UTC (Thu) by Wol (subscriber, #4433) [Link]

> The same file could have several names in the same directory or any other directories within the same file system.

I still make extensive use of this ...

Photos on my system are generally owned by root, and in an archive directory. Then they are hard-linked into various user directories. Given that they are typically 10, 16 or 24 MP in size, that saves a LOT of space when you are storing several copies of each photo ...

(not that I particularly wish to crypto-protect my photos, but other people might have similar setups to mine where they do want protection.)

Cheers,
Wol

Ext4 encryption

Posted May 20, 2018 12:00 UTC (Sun) by e4crypt (guest, #124524) [Link]

Ok, so what happens if I make a link to an encrypted file so that there exists a (hard) link to it both inside the encrypted directory and outside of it?

The name of the link outside the protected directory will obviously remain unencrypted. The contents, however, will remain inaccessible until a correct key is in the keyring. 

# truncate -s 2G storage
# mkfs.ext4 storage
# tune2fs -O encrypt storage
# mkdir mountpoint
# mount storage mountpoint
# cd mountpoint
# mkdir protected plain-text
# e4crypt add_key protected
# cd protected
# wget https://static.lwn.net/images/logo/barepenguin-70.png
# ln barepenguin-70.png ../plain-text
# file ../plain-text/barepenguin-70.png 
> ../plain-text/barepenguin-70.png: PNG image data, 70 x 81, 8-bit/color RGBA, non-interlaced
# cd ../..
# umount mountpoint
# e4crypt new_session
# mount storage mountpoint
# cd mountpoint
# file plain-text/barepenguin-70.png 
> plain-text/barepenguin-70.png: writable, regular file, no read permission
# cat plain-text/barepenguin-70.png 
> plain-text/barepenguin-70.png: Required key not available
Or if I make a (hard) link to a non-encrypted file that appears below the encrypted directory?

The system won't let you. 

# touch plain-text/fuck_systemd
# ln plain-text/fuck_systemd protected
> ln: failed to create hard link 'protected/fuck_systemd' => 'plain-text/fuck_systemd': Operation not permitted

May 2018. Tested with kernel 4.14.40 and e2fsprogs 1.44.1.

Information leaks

Posted Apr 9, 2015 14:38 UTC (Thu) by abatters (✭ supporter ✭, #6932) [Link] (4 responses)

I would never rely on per-directory encryption. Modern desktop environments would leak too much information in files outside the encrypted directory.

mlocate/slocate/updatedb and other search tools
global and per-application recently-used lists
search history
gvfs
caches
thumbnails
trash folders
swap files
/tmp files
etc.

Even something as simple as "cat encrypted-file.txt" from a terminal could end up writing an unencrypted copy to disk:
http://seclists.org/fulldisclosure/2012/Mar/32

Information leaks

Posted Apr 9, 2015 16:22 UTC (Thu) by droundy (subscriber, #4559) [Link]

I expect that the per directory feature will more often be used in an effectively per user manner than to encrypt a single smaller subdirectory, and for this use case (encrypted home directories) the issues you mention are much less problematic.

Information leaks

Posted Apr 14, 2015 17:41 UTC (Tue) by chloe_zen (guest, #8258) [Link] (2 responses)

If an encrypted directory does not encrypt the filenames, it is fail.

Information leaks

Posted Apr 15, 2015 1:30 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (1 responses)

What about the number of files or directories? Think a maildir tree. Even the file size could be useful. Though this is a good first step.

Information leaks

Posted Apr 15, 2015 1:48 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, you can pad files with a small random-sized pad. But yeah, there are limits of what is practical.

I don't consider the disclosure of file sizes to be a huge problem for lots of people. And you always have dm-crypt if you are really paranoid.

Personally, I'm happily using eCryptfs on my self-made NAS, automatically mounted when my Mac connects to the share with the password that I store in Keychain.

Ext4 encryption

Posted Apr 9, 2015 16:19 UTC (Thu) by fandingo (guest, #67019) [Link] (6 responses)

> Each individual file is encrypted with its own key, which is derived from the master key and a per-file random nonce value (which is stored in an extended attribute attached to the file's inode).

I wish there was a little more discussion on this topic. It seems like an interesting choice that must be made for some specific reason. Yet, neither the article nor any of the links discuss this design choice. Is it to minimize seeking (to pull the directory master key), memory use (caching directory master key), or attempting to keep the total amount of data encrypted by a single key small?

Perhaps I'm not familiar enough with other disk encryption, but I'm not aware of other products that use a similar technique.

A longer discussion on key management would have been nice as well. There is mention of dealing with multiple users, so I wonder if keys will be managed more in line with LUKS, although the phrase "master key" is used quite often. In LUKS, there are up to 8 key slots that can be used to unlock the actual master key. Will there be a similar implementation where ext4 can store multiple key slots, and only the kernel gets access to the actual key?

Of course that leads to more complexity. Assuming that there can be multiple passphrases to access a single master key (which of course links to multiple directory master keys and multiple file keys), is it also possible to have multiple master master master keys (the kernel keyring logon keys)? It seems necessary for any sort of complex policy. Here's an example of what I mean.

3 Users -- Alice, Bob, and Eve -- are sharing a computer. Each one needs *one* and only one unique password (because password sharing is wrong) that they use to both sign into the computer and access their encrypted data. Each has their home directory encrypted, but only Alice and Bob have access to the encrypted data in /var/lib/mysql.

Do the keys and passphrases work out like this?

Eve: passphrase --> kernel logon key (serial number 0) --> /home/eve directory key --> ...
Alice: passphrase --> kernel logon key (serial number 1) --> /home/alice directory key --> ...
Alice: passphrase (same as above) --> kernel logon key (serial number 2) --> /var/lib/mysql directory key --> ...
Bob: passphrase --> kernel logon key (serial number 2) --> /home/bobdirectory key --> ...
Bob: passphrase (same as above) --> kernel logon key (serial number 1) --> /var/lib/mysql directory key --> ...

Basically, is there a mechanism for Bob and Alice to access the logon key #1 without sharing a password? I worry that if that's left to user space, a secure place to store the LUKS-style keyslot management data is lacking.

Ext4 encryption

Posted Apr 9, 2015 18:41 UTC (Thu) by fandingo (guest, #67019) [Link] (5 responses)

Another pass through the design document answered my question:

> Our present proposal allows for a single key to protect any given directory or file.

That's incredibly disappointing, although it's not completely surprising that a feature going to Android first has such fundamental limitations.

Usually "policy" means more than on/off.

So you can encrypt an arbitrary assortment of your new, empty directories, but they're all going to be based off the same key. Sounds like a proof-of-concept.

Ext4 encryption

Posted Apr 11, 2015 1:34 UTC (Sat) by mhalcrow (guest, #17371) [Link]

This meets requirements for Chromium OS and Android while keeping the total inode size within 256 bytes. So we don't need to spill over the default amount allocated for an inode, and we get a performance boost from being able to use what's already being read in.

Based on the prevalent usage patterns I've been seeing for eCryptfs, which lets you specify one policy per mount point, this per-top-level-directory approach to policy will work fine. My initial prototype let you specify file-granular policies with fancy things like synthesizing multiple keys, but it took too much xattr space and didn't seem to address any compelling requirements.

Ext4 encryption

Posted Apr 12, 2015 6:01 UTC (Sun) by tytso (guest, #9993) [Link] (3 responses)

It's fairer to say that this is a "Minimum Viable Product". It solves a number of important use cases for Chrome OS and for Android in the near term.

We've talked about in the future adding public key crypto, in which case there will be a per-inode key that would get encrypted once so that Alice's private key will be able to obtain the per-inode key, and once so that Bob's private key could obtain the per-inode key.

In the initial prototype, we had this support w/o public key crypto, and it didn't add a lot of value, since it meant that at the time when you created the file, you would need to have Alice and Bob's symmetric key in memory, and for both Android and Chrome OS, an important design principle is that if a user is not logged in, their key is not available (at least not in decrypted form) anywhere on the system.

The other problem is that in the initial prototype, even when you had a single per-inode key wrapped with a single user's symmetric key, the resulting size of the extended attribute, combined with the size of the SELinux policy xattr (which is a _pig_; it uses a very verbose ascii string), the resulting xattrs would require an external 4k block for each inode. This was considered extremely unfortunate.

So hence we decided to fall back to using a very compact encoding for files that were encrypted for only a single user. In the future we'll add a version 2 on-disk structure which will allow for a file to use a per-file key encrypted by multiple users' public keys. Public key is also a pig, so at that point you will definitely need to go to an external xattr block --- but the assumption is that the number of shared files that would need to be accessible by multiple users will be relatively small. Or maybe we could do something by adding another layer of indirection. We'll see. The bottom line is that there's a pretty tight deadline for getting kernel changes in for the 'M' release, and what we have is sufficient for the use cases articulated to us by both the ChromeOS and Android teams.

What might get supported in releases beyond that will be a different question, but we have plenty of time to figure that out. Consider this the first step in a journey, not the end point.

Ext4 encryption

Posted Apr 13, 2015 1:38 UTC (Mon) by fandingo (guest, #67019) [Link] (1 responses)

Thanks for the detailed reply.

This gets back to a question I had in another comment: What made the developers decide on the per-file protector? I can't wrap my head around what the actual goal of it is, and without a per-file protector, the size (and therefor performance) xattr considerations don't come into play. Obviously, there would still be a performance impact with multiple protectors on directories, and I'm not sure how much of a problem that would be in practice (plus the mechanism to iterate over multiple protectors to find the proper one for the user's key(s)).

Ext4 encryption

Posted Apr 13, 2015 3:00 UTC (Mon) by tytso (guest, #9993) [Link]

Why use a separate key for each file? There are a couple of advantages for doing things that way:

1) It makes it easier for us to later on migrate to allowing multiple users access to a file. Example: Alice owns a file which is encrypted in a unique key which is derived from Alice's logon key plus a unique per-file nonce. In the future, when we support public key crypto, Alice wants to allow Bob to access the file as well; so we can update the policy structure to include the per-file key encrypted using Bob's public key. If all of the files owned by Alice are encrypted directly by Alice's logon key, we wouldn't be able to do this without decrypting and re-encrypting the file in a new unique key (since otherwise Bob would have access to all of Alice's files).

2) It simplifies the XTS Tweak Value (think IV or ESSIV value if we were using CBC mode), since we can just use the logical block number of the file as the basis for the generation of the XTS Tweak value or CBC IV value. If all of the files are encrypted directly with the same key, we would have to do something such as include the inode number as part of the XTS Tweak / IV value. That in turn would break the ability to resize file systems (since sometimes the inode number could change on for some files after a resize2fs shrink operation).

Ext4 encryption

Posted Apr 13, 2015 23:37 UTC (Mon) by nix (subscriber, #2304) [Link]

Or maybe we could do something by adding another layer of indirection.
That's what LUKS does, but of course it has somewhere where it can store that sort of thing (the LUKS header). If you're storing everything on a per-file basis, it's harder: there's no obvious location to store stuff like intermediate keys (which is, in effect, how you'd implement multiple passphrases).

Ext4 encryption

Posted Apr 10, 2015 0:14 UTC (Fri) by skissane (subscriber, #38675) [Link] (4 responses)

If they encrypt the filename, how do they avoid the filename containing reserved bytes (i.e. null or forward slash) ? Since encrypted data is fundamentally random, it could contain either of these bytes, which would then make the file name invalid. It could also perchance contain escape sequences, etc, which could make your terminal emulator malfunction or crash. The obvious answer to this would be to encode the filename (e.g. modified Base64) - do they do this? (I had a quick look at the patch, but I'd have to read it in more detail to understand this.)

There is a proposal before the Austin Group to change POSIX to ban some or all C0 control characters in filenames. http://austingroupbugs.net/view.php?id=251 - who knows if this will pass (personally I like the proposal, others may disagree) - but if that was added to POSIX, this issue would become even bigger (there would be 33 reserved bytes instead of just 2).

Ext4 encryption

Posted Apr 10, 2015 14:55 UTC (Fri) by fandingo (guest, #67019) [Link]

Yes, they do.

> The encode operation is very similar to Base64 encoding. However, to make sure that an encoded name is a legal EXT4 name, the character set used for encoding is a-zA-Z0-9+=. The encoding function maps three bytes of the input string (hash to be encoded) to 4 characters in the above range.

Ext4 encryption

Posted Apr 13, 2015 23:58 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

http://austingroupbugs.net/view.php?id=251... oh my god that bug has so much concentrated stupid in it, it hurts. From dwheeler's perfectly reasonable proposal -- I can't see any sane programs being hurt by an optional, default-on flag that bars creation of files with linefeeds, esc, escape, backspace and the like in them -- we get to a mention (in Geoff Clare's comment 1732) of an old committee decision which has been catastrophically infected with second-system syndrome involving a new readdir() flag, a readdir() that fails when encountering such filenames (!!!) and oh dear oh dear I can't see this ever getting implemented. I'm frankly surprised Al Viro didn't turn up on the thread with some choice words for the people proposing such an overengineered disaster.

Even ignoring everything else, readdir() doesn't actually take flags, so what are they going to do? changing readdir()'s prototype is impossible and introducing a readdir2() with an extra flags argument is more or less useless because only those programs whose authors think about the problem of weird filenames would ever use it, but if people *did* think about that problem, weird filenames wouldn't cause trouble in the first place because everyone would handle them fine. If you had the flag default on unless readdir2() was used to turn it off, this would just turn filenames containing linefeeds into an attack vector on *everything*, not just on shell scripts, as others on the same bug pointed out. It's not like anything is really prepared for readdir() to fail, either -- people tend to assume readdir() failure means disk damage or some other catastrophic problem, so any directory with a filename in it inducing such a failure would be more or less entirely unusable. Bingo, instant DoS attack vector.

Ext4 encryption

Posted Apr 14, 2015 0:38 UTC (Tue) by viro (subscriber, #7872) [Link] (1 responses)

Hadn't seen it, actually. What choice words, other than obvious "NOTABUG, WONTFIX", anyway? POSIX is only relevant to an extent it matches the reality. They can't order us to implement that kind of crap, they are extremely unlikely to be able to convince that it's a good idea (a quick scan leaves Bowman-style impression[1]), therefore it won't be implemented. Case closed. Any whinge along the lines of "but I've lobbied POSIX and now they say it's a bug" will be met with "it's their problem"...

[1] "My God, it's full of s..."

Ext4 encryption

Posted Apr 14, 2015 11:12 UTC (Tue) by nix (subscriber, #2304) [Link]

I think that's why its gone nowhere in five years or more. Several people pointed out that there was little chance anyone would willingly implement anything as baroque as that committee-driven scheme...

Ext4 encryption

Posted Apr 10, 2015 12:50 UTC (Fri) by robbe (guest, #16131) [Link] (4 responses)

So would it be fair to say that this is eCryptFs and ext4 smushed together in a giant layer violation for performance?

Me, I'm staying with dm-crypt. The performance downsides [citation appreciated] of it seem to apply mainly to the hand-held form factor.

Ext4 encryption

Posted Apr 10, 2015 13:41 UTC (Fri) by cesarb (subscriber, #6266) [Link] (2 responses)

> Me, I'm staying with dm-crypt. The performance downsides [citation appreciated] of it seem to apply mainly to the hand-held form factor.

If your CPU doesn't have AESNI or equivalent, it uses lots of CPU when doing an I/O heavy operation (like a full backup). The performance difference when going from a CPU without AESNI to a CPU with AESNI is noticeable.

AFAIK, that was precisely the problem with Android: a lot of phones didn't have the AESNI equivalent enabled because reasons.

Ext4 encryption

Posted Apr 10, 2015 20:40 UTC (Fri) by kleptog (subscriber, #1183) [Link]

> If your CPU doesn't have AESNI or equivalent, it uses lots of CPU when doing an I/O heavy operation (like a full backup). The performance difference when going from a CPU without AESNI to a CPU with AESNI is noticeable.

Ouch, yes, the difference is huge. At one point we had a server which was going dog-slow, while an apparently identical server next to it had no problems. After much searching it turned out that for some reason on this server the aesni_intel module was not getting loaded. An extra line in /etc/modules and a reboot later everything back to normal.

If the goal of this patch it to make as much of the filesystem usable without invoking any encryption then it explains some of the choices, but it's definitely a feature aimed at embedded processors.

Ext4 encryption

Posted Apr 13, 2015 19:53 UTC (Mon) by robbe (guest, #16131) [Link]

All true, but the proposed ext4 encryption does not change this one jota.

Ext4 encryption

Posted Apr 11, 2015 1:39 UTC (Sat) by mhalcrow (guest, #17371) [Link]

If you're protecting a single-user laptop, I suggest you stick with dm-crypt.

eCryptfs is a layer that should never have happened without proper stacking support in the MM/VFS.

Ext4 encryption

Posted Apr 10, 2015 21:07 UTC (Fri) by mhalcrow (guest, #17371) [Link]

Jonathan, great writeup. Thanks for covering this -- and, in particular, for emphasizing our threat model for the current code drop.

I have one minor correction. We don't allocate bounce buffers on reads. We read and then decrypt in place, and we don't set the page up to date until after the decryption is done. Writes have to be bounced though.

About that future encryption scheme, there's a hint in the patchset: EXT4_ENCRYPTION_MODE_AES_256_GCM. My original design called for encryption with integrity, but there's a dependency on per-block metadata support. The metadata needs to have transactional semantics since the metadata and the ciphertext need to be consistent. I hear Mingming cao is currently working on a framework for that, but there's not word on when it'll be ready at this point. As soon as we have a place to put per-block metadata, we can slap a nonce and auth tag on each block and expand our threat model a bit.

Ext4 encryption

Posted Apr 16, 2015 11:49 UTC (Thu) by tenshin (guest, #101995) [Link]

Will encryption eventually be a feature that can be added to existing ext4 filesystems with tune2fs? If so, what precautions, if any, does one need to take to ensure that ext4 filesystems created today are compatible with it in the future?


Copyright © 2015, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy