From c74be8ce5ba5fd123f38e22868cab43fe40753a3 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 17 Feb 2024 13:17:01 -0800 Subject: [PATCH 1/2] README.md: update documentation about alternatives --- README.md | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 044b0bf9..a6e57d57 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,16 @@ Before using `fscrypt`, you should consider other solutions: device. dm-crypt/LUKS is usually configured using [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home). +* [`systemd-homed`](https://systemd.io/HOME_DIRECTORY/) supports encrypting home + directories using the same Linux native filesystem encryption API that + `fscrypt` uses. Note that while the `systemd-homed` documentation refers to + this as fscrypt support, it does not use the `fscrypt` tool; directories set + up using `systemd-homed` cannot be managed by `fscrypt` and vice versa. + `systemd-homed` has better integration with systemd than `fscrypt` does; + however, `systemd-homed` (as of systemd v255) uses an obsolete version of the + Linux native filesystem encryption API, and users may run into known issues. + Issues with `systemd-homed` should be reported to the systemd developers. + * [**eCryptfs**](https://en.wikipedia.org/wiki/ECryptfs) is an alternative filesystem-level encryption solution. It is a stacked filesystem, which means it sits on top of a real filesystem, rather than being directly integrated @@ -88,10 +98,12 @@ Before using `fscrypt`, you should consider other solutions: disadvantages. eCryptfs is usually configured using [ecryptfs-utils](https://packages.debian.org/stretch/ecryptfs-utils). -* The [**ZFS**](https://en.wikipedia.org/wiki/ZFS) filesystem supports - encryption in its own way (not compatible with `fscrypt`). ZFS encryption has - some advantages; however, ZFS isn't part of the upstream Linux kernel and is - less common than other filesystems, so this solution usually isn't an option. +* Some Linux filesystems support encryption natively, but not in a way that is + compatible with the common API that `fscrypt` uses. Examples of this are + Bcachefs and ZFS. (Note: ZFS is not part of the upstream kernel.) Bcachefs + encryption is similar to dm-crypt in that it encrypts the full filesystem with + one key. ZFS encryption operates on a per-dataset basis. If you are using + one of these filesystems, refer to the documentation for that filesystem. Which solution to use? Here are our recommendations: @@ -101,9 +113,9 @@ Which solution to use? Here are our recommendations: filesystem encryption instead. The largest users of eCryptfs (Ubuntu and Chrome OS) have switched to dm-crypt or Linux native filesystem encryption. -* If you need fine-grained control of encryption within a filesystem, then use - `fscrypt`, or `fscrypt` together with dm-crypt/LUKS. If you don't need this, - then use dm-crypt/LUKS. +* If you need fine-grained control of encryption within a filesystem and you are + using a filesystem that supports `fscrypt`, then use `fscrypt`, or `fscrypt` + together with dm-crypt/LUKS. If you don't need this, then use dm-crypt/LUKS. To understand this recommendation: consider that the main advantage of `fscrypt` is to allow different files on the same filesystem to be encrypted From 2bf4521e3d3fd1c5b5a383defd1535d929ad808b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 17 Feb 2024 13:31:27 -0800 Subject: [PATCH 2/2] README.md: remove old warning about ext4 encryption on removable media This warning is only applicable for systems with kernel versions older than v4.1, which is now too old to be worth the mention here. --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index a6e57d57..5de0f119 100644 --- a/README.md +++ b/README.md @@ -305,10 +305,6 @@ It is also recommended to use Linux kernel v5.4 or later, since this allows the use of v2 encryption policies. v2 policies have several security and usability improvements over v1 policies. -Be careful when using ext4 encryption on removable media, since ext4 filesystems -with the `encrypt` feature cannot be mounted on systems with kernel versions -older than the minimums listed above -- even to access unencrypted files! - If you configure `fscrypt` to use non-default features, other kernel prerequisites may be needed too. See [Configuration file](#configuration-file).