lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANDhNCp=06eNkOqNX2dFrnYhpZX0xsEd06U1xCwORk1mwt=MCw@mail.gmail.com>
Date: Tue, 14 Oct 2025 09:38:52 -0700
From: John Stultz <jstultz@...gle.com>
To: "Theodore Ts'o" <tytso@....edu>
Cc: Arnd Bergmann <arnd@...db.de>, Matthew Wilcox <willy@...radead.org>, Arnd Bergmann <arnd@...nel.org>, 
	Tyler Hicks <code@...icks.com>, Damien Le Moal <damien.lemoal@...nsource.wdc.com>, 
	ecryptfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: ecryptfs is unmaintained and untested

On Tue, Oct 14, 2025 at 7:39 AM Theodore Ts'o <tytso@....edu> wrote:
> On Mon, Oct 13, 2025 at 11:07:56PM -0700, John Stultz wrote:
> >
> > Yeah. Sadly I'm one, as I needed something to migrate off of when
> > encfs was deprecated.
> >
> > Is there another soon-to-be-deprecated filesystem to encrypt
> > directories I should move to? :)
>
> Well, the closest way of encrypting directories is fscrypt.  The good
> news is that it works on top of btrfs, ext4, f2fs, and ubifs, and it's
> not likely to be deprecated given that it is used by chromeos and
> android.  The bad news is that the integration with traditional Linux
> desktop setups (e.g., login, etc.) was never completed.

Yeah, though to my understanding fscrypt complicates backing up the
data in its encrypted form.
Having the fuse/overlay encryption approaches is nice because you can
just backup the underlying filesystem layer and ignore the overlay
mount.

> This is probably because for many desktop and server configurations,
> using dm-crypt is actually better suited and more secure.  It
> certainly doesn't solve the "just encrypt a directory hierarchy in a
> file system" and the "support multiple users' who might have different
> encryption keys and which are mutually suspicious" use cases.  But
> this appears to not be sufficiently interesting for distributions to
> do that integration work.

Mostly I avoid dm-crypt for personal files as I want the majority of
things (family pictures, etc) to be as simply recoverable as possible.
It's only for a small amount of things like email archives and
tax/financial documents that I'd like to have it be non-trivial to
access if my backup drive or desktop was stolen.

I've wondered if maybe something as simple as fuse mounting a password
protected zip file would do, but I'm guessing something a little more
modern like a fuse + age approach would be better. Unfortunately I'm
not finding anything so far.

thanks
-john

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ