alex/bcachefs-tools
1
0
Fork 0
mirror of https://github.com/koverstreet/bcachefs-tools.git synced 2025-02-24 00:00:19 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
a539b33911
bcachefs-tools/docs/feat-encryption.rst
kenneth topp 1167e26590
first test
2022-11-01 22:28:07 -04:00

54 lines
2.2 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Encryption
~~~~~~~~~~
bcachefs supports authenticated (AEAD style) encryption -
ChaCha20/Poly1305. When encryption is enabled, the poly1305 MAC replaces
the normal data and metadata checksums. This style of encryption is
superior to typical block layer or filesystem level encryption (usually
AES-XTS), which only operates on blocks and doesnt have a way to store
nonces or MACs. In contrast, we store a nonce and cryptographic MAC
alongside data pointers - meaning we have a chain of trust up to the
superblock (or journal, in the case of unclean shutdowns) and can
definitely tell if metadata has been modified, dropped, or replaced with
an earlier version - replay attacks are not possible.
Encryption can only be specified for the entire filesystem, not per file
or directory - this is because metadata blocks do not belong to a
particular file. All metadata except for the superblock is encrypted.
In the future well probably add AES-GCM for platforms that have
hardware acceleration for AES, but in the meantime software
implementations of ChaCha20 are also quite fast on most platforms.
``scrypt`` is used for the key derivation function - for converting the
user supplied passphrase to an encryption key.
To format a filesystem with encryption, use
::
bcachefs format --encrypted /dev/sda1
You will be prompted for a passphrase. Then, to use an encrypted
filesystem use the command
::
bcachefs unlock /dev/sda1
You will be prompted for the passphrase and the encryption key will be
added to your in-kernel keyring; mount, fsck and other commands will
then work as usual.
The passphrase on an existing encrypted filesystem can be changed with
the ``bcachefs set-passphrase`` command. To permanently unlock an
encrypted filesystem, use the ``bcachefs remove-passphrase`` command -
this can be useful when dumping filesystem metadata for debugging by the
developers.
There is a ``wide_macs`` option which controls the size of the
cryptographic MACs stored on disk. By default, only 80 bits are stored,
which should be sufficient security for most applications. With the
``wide_macs`` option enabled we store the full 128 bit MAC, at the cost
of making extents 8 bytes bigger.
Reference in New Issue View Git Blame Copy Permalink