Comments (3)
The limitation here is mostly just a reflection of the underlying kernel API. FS_IOC_SET_ENCRYPTION_POLICY can only apply a new policy to an empty directory. Thus, this userspace tool has the same restriction.
This is almost always what you want though, because just having filesystem-level encryption on an individual file would not encrypt the filename, and we want things to be secure by default. You can move an individual encrypted file out of an encrypted directory, but then fscrypt unlock
will no longer work.
The primary one I can think of is
.fscrypt
directory, though my first though is allowed for the use of xattrs for those instead.
This might be a misunderstanding of how the /.fscrypt
directory works. That directory is for storing policies/protectors for the filesystem not for a specific directory. The location of the data in that directory will not affect if fscrypt can work on an individual file.
from fscrypt.
@josephlr I definitely get wanting to encrypt the filename as well as the data, but that would seem reasonably hidden if the directory was encrypted. So in the case in which the filename is not sensitive info the dir could be unencrypted, but the contents of the file would be.
Yes, that was my hopeful misunderstanding on what the .fscrypt file did, thank you for clearing that up too!
That said, thank you for the info and agreed it seems the issue is at the kernel API first
from fscrypt.
It probably would be possible for the kernel to be changed to allow setting an encryption policy on an empty regular file, but there's been no good reason to allow it so far.
If you really want to, you can already create an encrypted directory and a file within it, then move that file into an unencrypted directory. In that case, you do in fact end up with a standalone encrypted file.
However, as @josephlr mentioned, an issue with standalone encrypted files is that fscrypt unlock
doesn't work. That's because in order to figure out which encryption policy to unlock, it's necessary to open the file to query its encryption policy. But the kernel does not allow encrypted regular files to be opened without their encryption key being present; only directories can be.
from fscrypt.
Related Issues (20)
- Authtok is missing HOT 1
- Devuan chimaera slim/elogind hangs HOT 3
- Can't encrypt ext4 filesystem if root is btrfs subvolume HOT 8
- Reading encrypted and non-encrypted contents in the same time HOT 1
- [Feature Request] Fedora Package or SPEC file HOT 2
- Use CLI library to handle completion HOT 1
- [enhancement] Feature request + PoC: Unlock using public key in ssh-agent
- [bug] pam_fscrypt hangs on login via xrdp HOT 9
- PAM setup including pam_fprintd HOT 2
- Feature Request: Enable some way for pam_fscrypt to not lock policies on logout HOT 3
- [Feature Request] Support fido2 hmac-secret
- [Bug] xfce4-screensaver pam not unlocking mount point HOT 1
- fscrypt master key handling at kernel space adding additional secure params. HOT 2
- In fscrypt user space, after removing the key from key ring, the encrypted directories file names continues to be in clear form. HOT 2
- "fscrypt metadata add-protector-to-policy" doesn't work in key files HOT 1
- Poor scriptability due to --name not being easily checkable HOT 2
- failureExitCode should return higher number than 1 if user tries to lock an already locked file
- Deleting files from folder encrypted with fscrypt HOT 4
- Partial Decrypt HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fscrypt.