fscrypt

The ext4, F2FS, and UBIFS file systems natively support file encryption via a common API called fscrypt (originally called "ext4 encryption"). With fscrypt, encryption is applied at the directory level. Different directories can use different encryption keys. In an encrypted directory, all file contents, filenames, and symlinks are encrypted. All subdirectories are encrypted too. Non-filename metadata, such as timestamps, the sizes and number of files, and extended attributes, is not encrypted.

Related articles

fscrypt is also the name of a userspace tool to use the kernel feature of the same name. This article shows how to use the fscrypt tool to encrypt directories, including how to encrypt a home directory.

Alternatives to consider

To protect an entire file system with one password, block device encryption with dm-crypt (LUKS) is generally a better option, as it ensures that all files on the file system are encrypted, and also that all file system metadata is encrypted. fscrypt is most useful to encrypt specific directories, or to enable different encrypted directories to be unlockable independently—for example, per-user encrypted home directories.

Unlike eCryptfs, fscrypt is not a stacked file system, i.e. it is supported by file systems natively. This makes fscrypt more memory-efficient. fscrypt also uses more up-to-date cryptography than eCryptfs, and it does not require setuid binaries. Also, eCryptfs is no longer being actively developed, and its largest users have migrated to dm-crypt (Ubuntu) or to fscrypt (Chrome OS).

See data-at-rest encryption for more information about other encryption solutions, and about what encryption does and does not do.

Note:
  • It is possible to use fscrypt in combination with dm-crypt, with each encryption layer serving a different purpose. For example, the file system itself could be protected by dm-crypt using a less secure method, like a TPM tied into "secure boot" or a password known to all the system's users, while each user's home directory could also be protected by fscrypt using a password known only to that user.
  • The e4crypt tool from e2fsprogs can be used as an alternative to the fscrypt tool. However, this is not recommended since e4crypt is missing many basic features and is no longer being actively developed.

Preparations

Kernel

All officially supported kernels support fscrypt on ext4, F2FS, and UBIFS.

Users of custom kernels version 5.1 or later, make sure CONFIG_FS_ENCRYPTION=y is set. For older kernels, see the documentation.

It is also highly recommended for the kernel version to be 5.4 or later, as this allows the use of v2 encryption policies. There are several security and usability issues with v1 encryption policies.

ext4

For ext4, the file system on which encryption is to be used must have the encrypt feature flag enabled. To enable it, run:

# tune2fs -O encrypt /dev/device
Warning: Once the encrypt feature is enabled, Linux versions older than 4.1 will be unable to mount the file system. Also, Linux versions older than 5.5 will be unable to mount the file system if its block size (tune2fs -l /dev/device | grep 'Block size') differs from the system page size (getconf PAGE_SIZE) (normally both are 4096 and this is not a problem).
Tip:
  • The operation can be undone with debugfs -w -R "feature -encrypt" /dev/device. Run fsck before and after to ensure the integrity of the file system.
  • When creating a new file system, one can enable the encrypt feature immediately with mkfs.ext4 -O encrypt.

F2FS

For F2FS, use when creating the file system or at a later time.

Userspace tool

Install the package. Then run:

# fscrypt setup

This creates the file and the directory /.fscrypt.

Then, if the file system on which encryption is to be used is not the root file system, also run:

# fscrypt setup mountpoint

where is where the file system is mounted, e.g. .

This creates the directory to store fscrypt policies and protectors.

Warning: Never delete the .fscrypt directory; otherwise ALL access to encrypted files will be lost!

PAM module

To unlock login passphrase-protected directories automatically at login, and to keep login passphrase-protected directories in sync with changes to the login passphrase, adjust the system PAM configuration to enable .

Append the following line to the auth section in :

Insert the following lines before in the session section:

Finally, append the following line to /etc/pam.d/passwd:

Encrypt a directory

To encrypt an empty directory, run:

$ fscrypt encrypt dir

Follow the prompts to create or choose a "protector". A protector is the secret or information that protects the directory's encryption key. The types of protectors include:

  • "custom_passphrase". This is exactly what it sounds like, a user defined passphrase.
  • "pam_passphrase". This is the login passphrase for a particular user. Directories using this type of protector will be automatically unlocked by (if enabled) when that user logs in. Be sure to follow the security recommendations before using this type of protector.

In both cases, the passphrase can be changed later, or the directory can be re-protected with another method.

Example for custom passphrase:

Example for PAM passphrase:

Lock/unlock a directory

To unlock an encrypted directory, run:

$ fscrypt unlock dir

fscrypt will prompt for the passphrase.

To lock an encrypted directory, run:

$ fscrypt lock dir

Encrypt a home directory

To encrypt a user's home directory, first ensure that all preparations have been completed, including enabling .

Then, create a new encrypted directory for the user:

# mkdir /home/newhome
# chown user:user /home/newhome 
# fscrypt encrypt /home/newhome --user=user

Select the option to protect the directory with the user's login passphrase.

Then copy the contents of the user's old home directory into the encrypted directory:

# cp -a -T /home/user /home/newhome

If the method was used, check whether the directory is being automatically unlocked on login before actually switching to using it. The simplest way to do this is to reboot and log in as that user. Afterwards, run:

If it says instead, then something is wrong with the PAM configuration, or the incorrect type of protector was selected.

Otherwise, replace the home directory:

# mv /home/user /home/oldhome
# mv /home/newhome /home/user
# reboot

If everything is working as expected, delete the old home directory:

# find /home/oldhome -type f -print0 | xargs -0 shred -n1 --remove=unlink
# rm -rf /home/oldhome
Tip: Running shred is optional, but strongly recommended.

Encryption within Linux Containers (lxc)

Support to use fscrypt inside Linux Containers (lxc), or more generally in where the file system's root directory is not visible has been added in v0.2.8.

Lock directory when container is stopped

A systemd/User unit within the container can lock an encrypted directory when the container is stopped:

Troubleshooting

See https://github.com/google/fscrypt/blob/master/README.md#troubleshooting for solutions to some common problems and also the open issues on Github.

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.