Encryption ~~~~~~~~~~ bcachefs supports authenticated (AEAD style) encryption - ChaCha20/Poly1305. When encryption is enabled, the poly1305 MAC replaces the normal data and metadata checksums. This style of encryption is superior to typical block layer or filesystem level encryption (usually AES-XTS), which only operates on blocks and doesn’t have a way to store nonces or MACs. In contrast, we store a nonce and cryptographic MAC alongside data pointers - meaning we have a chain of trust up to the superblock (or journal, in the case of unclean shutdowns) and can definitely tell if metadata has been modified, dropped, or replaced with an earlier version - replay attacks are not possible. Encryption can only be specified for the entire filesystem, not per file or directory - this is because metadata blocks do not belong to a particular file. All metadata except for the superblock is encrypted. In the future we’ll probably add AES-GCM for platforms that have hardware acceleration for AES, but in the meantime software implementations of ChaCha20 are also quite fast on most platforms. ``scrypt`` is used for the key derivation function - for converting the user supplied passphrase to an encryption key. To format a filesystem with encryption, use :: bcachefs format --encrypted /dev/sda1 You will be prompted for a passphrase. Then, to use an encrypted filesystem use the command :: bcachefs unlock /dev/sda1 You will be prompted for the passphrase and the encryption key will be added to your in-kernel keyring; mount, fsck and other commands will then work as usual. The passphrase on an existing encrypted filesystem can be changed with the ``bcachefs set-passphrase`` command. To permanently unlock an encrypted filesystem, use the ``bcachefs remove-passphrase`` command - this can be useful when dumping filesystem metadata for debugging by the developers. There is a ``wide_macs`` option which controls the size of the cryptographic MACs stored on disk. By default, only 80 bits are stored, which should be sufficient security for most applications. With the ``wide_macs`` option enabled we store the full 128 bit MAC, at the cost of making extents 8 bytes bigger.