From: Neal Gompa <ngompa@fedoraproject.org>
To: Anand Jain <anand.jain@oracle.com>
Cc: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>,
"Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Eric Biggers <ebiggers@kernel.org>, Chris Mason <clm@fb.com>,
Josef Bacik <josef@toxicpanda.com>,
David Sterba <dsterba@suse.com>,
linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org,
kernel-team@fb.com, Omar Sandoval <osandov@osandov.com>,
Chris Murphy <lists@colorremedies.com>
Subject: Re: [PATCH v2 02/20] fscrypt: add flag allowing partially-encrypted directories
Date: Tue, 13 Sep 2022 07:02:45 -0400 [thread overview]
Message-ID: <CAEg-Je_=K6ky95ybv=Dx21bUPWjP-Vew14pu4KWVDQuYn+NTNg@mail.gmail.com> (raw)
In-Reply-To: <dbb3a5ea-65d9-12bd-bde3-e16ab2f44adc@oracle.com>
On Tue, Sep 13, 2022 at 6:21 AM Anand Jain <anand.jain@oracle.com> wrote:
>
> On 06/09/2022 08:35, Sweet Tea Dorminy wrote:
> > From: Omar Sandoval <osandov@osandov.com>
> >
> > Creating several new subvolumes out of snapshots of another subvolume,
> > each for a different VM's storage, is a important usecase for btrfs.
>
> > We
> > would like to give each VM a unique encryption key to use for new writes
> > to its subvolume, so that secure deletion of the VM's data is as simple
> > as securely deleting the key; to avoid needing multiple keys in each VM,
> > we envision the initial subvolume being unencrypted.
>
> In this usecase, you didn't mention if the original subvolume is
> encrypted, assuming it is not, so this usecase is the same as mentioned
> in the design document. Now, in this usecase, what happens if the
> original subvolume is encrypted? Can we still avoid the multiple keys?
> How is that going to work? Or we don't yet support subvolumes out of
> snapshots of another encrypted subvolume?
>
Count this as the first official "email triggered by Plumbers" I
suppose, but I've been looking forward to Btrfs encryption for Fedora
for a variety of use-cases:
* Converting a disk from unencrypted to encrypted without reinstalling[1]
* Encrypting system and user data with different credentials[2][3]
* Mass managed systems with dual-credential encryption (one rooted in
org, other by user)[1]
The way I envision Fedora's usage of this feature going is as follows:
The system is shipped (OEM install; e.g. Lenovo, Slimbook, etc.) or
installed without encryption (from Anaconda). The firstboot process
helps the user get setup, and asks if they want disk encryption
(provided there is no policy forcing it on). If the answer is yes,
then the root subvolume and the home subvolume are configured to be
encrypted using the on-board secure enclave (TPM or whatever). When
the user creation step occurs, if disk encryption was set on earlier,
then the user subvolume inside the home subvolume gets configured to
be encrypted using the login credentials. If it wasn't set on earlier,
we could also still offer to encrypt the user data here. If this is a
mass-managed system, an additional decryption key would be available
for the system manager to use in the event of credential loss, damaged
TPM, etc.
For the cloudy scenario, we'd probably provide tools to orchestrate
this from cloud-init for confidential computing stuff too.
For all this to work, I expect the following:
* Encryption to support *somehow* any number of decryption keys/methods
* Nesting of subvolumes with differing encryption methods
* The ability to blindly backup and restore subvolumes without needing
to decrypt
On a personal system, I expect at most two credentials in use: one
keyed to the system and one keyed to the user. For a corporate/mass
managed system, I expect a third one: one keyed to the management
platform. This is necessary because in a lot of jurisdictions, you
don't necessarily own the data on your corporate laptop, and the owner
has the right to be able to access that data. But a more prosaic or
banal reason is that people forget their credentials and being able to
reset them without losing all their data is usually a good thing. :)
Hopefully I've transcribed what I said properly into this email. :)
[1]: https://pagure.io/fedora-btrfs/project/issue/10
[2]: https://pagure.io/fedora-workstation/issue/82
[3]: https://pagure.io/fedora-workstation/issue/136
--
Neal Gompa (FAS: ngompa)
next prev parent reply other threads:[~2022-09-13 11:03 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 0:35 [PATCH v2 00/20] btrfs: add fscrypt integration Sweet Tea Dorminy
2022-09-06 0:35 ` [PATCH v2 01/20] fscrypt: expose fscrypt_nokey_name Sweet Tea Dorminy
2022-09-08 13:41 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 02/20] fscrypt: add flag allowing partially-encrypted directories Sweet Tea Dorminy
2022-09-08 13:43 ` Josef Bacik
2022-09-12 1:42 ` Eric Biggers
2022-09-15 18:58 ` Sweet Tea Dorminy
2022-09-13 10:07 ` Anand Jain
2022-09-13 11:02 ` Neal Gompa [this message]
2022-09-06 0:35 ` [PATCH v2 03/20] fscrypt: add fscrypt_have_same_policy() to check inode compatibility Sweet Tea Dorminy
2022-09-08 13:53 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 04/20] fscrypt: allow fscrypt_generate_iv() to distinguish filenames Sweet Tea Dorminy
2022-09-08 14:01 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 05/20] fscrypt: add extent-based encryption Sweet Tea Dorminy
2022-09-07 19:59 ` Omar Sandoval
2022-09-08 15:33 ` Josef Bacik
2022-09-10 18:53 ` kernel test robot
2022-09-12 1:34 ` Eric Biggers
2022-09-06 0:35 ` [PATCH v2 06/20] fscrypt: document btrfs' fscrypt quirks Sweet Tea Dorminy
2022-09-08 15:34 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 07/20] btrfs: store directory's encryption state Sweet Tea Dorminy
2022-09-08 15:37 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 08/20] btrfs: use fscrypt_names instead of name/len everywhere Sweet Tea Dorminy
2022-09-07 20:04 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 09/20] btrfs: setup fscrypt_names from dentrys using helper Sweet Tea Dorminy
2022-09-08 19:11 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 10/20] btrfs: factor a fscrypt_name matching method Sweet Tea Dorminy
2022-09-08 19:27 ` Josef Bacik
2022-09-09 10:15 ` David Sterba
2022-09-09 13:00 ` Christoph Hellwig
2022-09-09 13:34 ` David Sterba
2022-09-16 22:18 ` J Lovejoy
2022-09-19 2:00 ` Bradley M. Kuhn
2022-09-19 17:20 ` David Sterba
2022-09-19 16:52 ` David Sterba
2022-09-09 13:41 ` Chris Mason
2022-09-06 0:35 ` [PATCH v2 11/20] btrfs: disable various operations on encrypted inodes Sweet Tea Dorminy
2022-09-06 6:36 ` kernel test robot
2022-09-07 20:11 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 12/20] btrfs: start using fscrypt hooks Sweet Tea Dorminy
2022-09-07 20:17 ` David Sterba
2022-09-07 20:42 ` Sweet Tea Dorminy
2022-09-12 1:50 ` Eric Biggers
2022-09-08 19:42 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 13/20] btrfs: add fscrypt_context items Sweet Tea Dorminy
2022-09-07 20:43 ` David Sterba
2022-09-08 20:06 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 14/20] btrfs: translate btrfs encryption flags and encrypted inode flag Sweet Tea Dorminy
2022-09-08 20:07 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 15/20] btrfs: store a fscrypt extent context per normal file extent Sweet Tea Dorminy
2022-09-07 21:10 ` David Sterba
2022-09-07 21:39 ` Sweet Tea Dorminy
2022-09-09 10:04 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 16/20] btrfs: Add new FEATURE_INCOMPAT_FSCRYPT feature flag Sweet Tea Dorminy
2022-09-09 11:35 ` David Sterba
2022-09-12 1:36 ` Eric Biggers
2022-09-06 0:35 ` [PATCH v2 17/20] btrfs: reuse encrypted filename hash when possible Sweet Tea Dorminy
2022-09-07 21:24 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 18/20] btrfs: adapt directory read and lookup to potentially encrypted filenames Sweet Tea Dorminy
2022-09-08 20:15 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 19/20] btrfs: encrypt normal file extent data if appropriate Sweet Tea Dorminy
2022-09-08 20:19 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 20/20] btrfs: implement fscrypt ioctls Sweet Tea Dorminy
2022-09-07 21:33 ` David Sterba
2022-09-06 22:35 ` [PATCH v2 00/20] btrfs: add fscrypt integration Eric Biggers
2022-09-06 23:01 ` Sweet Tea Dorminy
2022-09-06 23:10 ` Eric Biggers
2022-09-07 0:01 ` Sweet Tea Dorminy
2022-09-07 19:38 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEg-Je_=K6ky95ybv=Dx21bUPWjP-Vew14pu4KWVDQuYn+NTNg@mail.gmail.com' \
--to=ngompa@fedoraproject.org \
--cc=anand.jain@oracle.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=lists@colorremedies.com \
--cc=osandov@osandov.com \
--cc=sweettea-kernel@dorminy.me \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.