I wonder how fscrypt compares to LUKS. It does encryption at the filesystem level instead of underneath it at the block device level.

Apparently XTS (which block device encryption uses out of necessity) isn't great at least according to https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/, and fscrypt would solve that. But fscrypt also leaks a bunch of metadata that LUKS doesn't.

It sounds like Android's encryption is fscrypt-based? So Google at least thinks it's good enough for them. But I worry if we did it ourselves we'd misuse it somehow.

#linux #LUKS #fscrypt #cryptography

#FSCRYPT In Linux 6.7 More Adaptable For Inline Encryption Hardware

https://www.phoronix.com/news/Linux-6.7-FSCRYPT

Sweet Tea Dorminy submitted an patch-set adding an encryption feature to #btrfs: https://lore.kernel.org/all/cover.1687[email protected]/

```This is a changeset adding encryption to btrfs. It is not complete; it does not support inline data or verity or authenticated encryption. It is primarily intended as a proof that the fscrypt extent encryption changeset it builds on work.```

For the mentioned #fscrypt changes see:
https://lore.kernel.org/linux-fscrypt/[email protected]/ #Linux #kernel #LinuxKernel

Hm, interesting, #fedora seems to be moving to full-disk-encryption using #btrfs and #fscrypt by default, along with signing unified kernel images (UKIs) and using the #TPM. No measuring/attestation AFAICT yet, but a very good move forward!

They also want to separately encrypt homes, and even mention #systemd #homed in the Pagure:
https://pagure.io/fedora-workstation/blob/master/f/notes/encryption.md
However they write:

> *It cannot be universal for all Fedora systems - some things like NFS home directories are out of scope for systemd-homed. Logging in remotely via ssh is not supported. (???)*

I'm pretty sure ssh is supported and even documented, and #NFS should be of no business to homed? But NFS+automount should work perfectly fine with #homed, or did I misunderstand something?

Maybe someone with more knowledge than me should chip in, otherwise they will re-invent the wheel (and doing separately encrypted homes is hard to do correctly!)