Re: [RFC] Preliminary BTRFS Encryption

[Anand Jain <anand.jain@oracle.com>]

Hi Chris,

> Hi Anand,
>
> Thanks for sending these out.  It's an important feature and I'm glad to
> see it getting some love.
>
> Right now, the design doc is really the most important part.  The
> encryption side of things requires a layer of extra verification that we
> can't get from reviewing the code alone.  We need to sit down with the
> use cases and the workflow and make sure it meets all the requirements
> of a secure system.

  yes.

> I'm the first to admit this needs a broader consensus than just
> linux-btrfs@, and we want our reviewers to be able to go through things
> without also having to understand every line of btrfs.

  right.

> I do want to make sure that we can send/recv signed and encrypted
> subvolumes, and be able to send them again unmodified.  This will end up
> needing a revision of the send/recv protocol, but it adds a use case
> wrinkle that we need to iron out in the design docs.

  Exactly. I have this in the requirement list. So I was hesitant
  to use any page(ext4)/sector(truecrypt) related IV. BTRFS just
  uses random IV which can be accessed through xattributes. But
  certainly has crypto issues. Anyway I will cover this in the document
  for the review by crypto experts.

> I still prefer encryption at the subvolume level, but it's going to need
> to be a superset of what is already possible with the vfs interfaces. If
> we can do it with the existing interfaces, great.  If not we should be
> adding features into the generic code where it makes sense.

  Sure Chris. Thanks for your comments.

- Anand

> -chris




In this situation I was almost to drop the encrypted send/recv from my 
list, thanks for mentioning I shall keep that in the design so as of now 
as I did not use anything which is