lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251014203535.GA1916@quark>
Date: Tue, 14 Oct 2025 13:35:35 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Theodore Ts'o <tytso@....edu>
Cc: John Stultz <jstultz@...gle.com>, Arnd Bergmann <arnd@...db.de>,
	Matthew Wilcox <willy@...radead.org>,
	Arnd Bergmann <arnd@...nel.org>, Tyler Hicks <code@...icks.com>,
	Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
	ecryptfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: ecryptfs is unmaintained and untested

On Tue, Oct 14, 2025 at 10:39:16AM -0400, Theodore Ts'o wrote:
> On Mon, Oct 13, 2025 at 11:07:56PM -0700, John Stultz wrote:
> > 
> > Yeah. Sadly I'm one, as I needed something to migrate off of when
> > encfs was deprecated.
> > 
> > Is there another soon-to-be-deprecated filesystem to encrypt
> > directories I should move to? :)
> 
> Well, the closest way of encrypting directories is fscrypt.  The good
> news is that it works on top of btrfs, ext4, f2fs, and ubifs, and it's
> not likely to be deprecated given that it is used by chromeos and
> android.  The bad news is that the integration with traditional Linux
> desktop setups (e.g., login, etc.) was never completed.

The current set of filesystems that support fscrypt is ext4, f2fs,
ubifs, cephfs, and (out-of-tree) Lustre.  btrfs's support for fscrypt is
still under development, I'm afraid.  I'm told it's starting to be
worked on again.

While the main user of the fscrypt kernel feature is Android which has
its own userspace, there's also a userspace tool for general-purpose
Linux distros, also called fscrypt.  See
https://github.com/google/fscrypt and
https://wiki.archlinux.org/title/Fscrypt

I've been maintaining the 'fscrypt' userspace tool, and in the past I've
done quite a bit of work to improve it.  I also use it to encrypt the
home directory on my personal desktop.

It's true that it really could use some love, though.  It's not
something that I've been prioritizing recently, and no one else has
stepped up either.  (Compare to eCryptfs where Ubuntu adopted it, and
Canonical stepped up to develop and maintain ecryptfs-tools.  That's
just not something that's happened for fscrypt.)

There are other userspace programs that use the fscrypt kernel feature
too, such as systemd-homed and a new one called dirlock:
https://lwn.net/Articles/1038859/

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ