Ext4 encryption

Posted May 27, 2015 5:37 UTC (Wed) by geofft (subscriber, #59789)
In reply to: Ext4 encryption by pr1268
Parent article: Ext4 encryption

dm-crypt is block-level encryption, not filesystem-level encryption. This means that you cannot add any bytes in the process of encrypting it. This means that your encryption is not authenticated, and unauthenticated encryption is generally a major mistake.

dm-crypt is very good at what it does, but what it does is necessarily incomplete by the nature of the problem. There are (limited) use cases for unauthenticated disk encryption, and dm-crypt is great for those, but if you can do authenticated encryption, you should. It's sorta like unsalted, unstretched passwords: SHA-512 is a fantastic hash function, but using it as a password storage scheme makes for a bad password storage scheme.

I see your conspiracy theory and raise you "The NSA is sending shills into comment sections to complain about people writing good cryptosystems instead of reusing the bad cryptosystems they already know how to break."

Ext4 encryption

Posted May 27, 2015 16:10 UTC (Wed) by flussence (guest, #85566) [Link] (1 responses)

I can think of a more mundane explanation: Android devices have all the software necessary to flip dm-crypt usage on/off in-place, but lack the hardware (battery capacity) to do it safely.

Ext4 encryption

Posted Jun 22, 2015 17:09 UTC (Mon) by luto (guest, #39314) [Link]

It would be straightforward to do it in place in a resumable fashion using a mix of dm-crypt, dm-linear, and whatever the dm target that delays IO is. All you'd need to do is have a little bit of spare space and some user code.

Ext4 encryption

Posted May 27, 2015 18:26 UTC (Wed) by kmeyer (subscriber, #50720) [Link]

> dm-crypt is block-level encryption, not filesystem-level encryption. This means that you cannot add any bytes in the process of encrypting it. This means that your encryption is not authenticated, and unauthenticated encryption is generally a major mistake.

Ext4's new encryption mode, as described, is equally unauthenticated -- it is not designed to be resilient against covert modifications to the ciphertext.