All of lore.kernel.org
 help / color / mirror / Atom feed
* Is fscrypt encryption FIPS compliant?
@ 2021-05-27 20:08 Jerry Chung
  2021-05-28  0:12 ` Eric Biggers
  0 siblings, 1 reply; 6+ messages in thread
From: Jerry Chung @ 2021-05-27 20:08 UTC (permalink / raw)
  To: linux-fscrypt

Hi Team,

I am considering to use `fscrypt` to encrypt directory files and just wondered if fscrypt encryption is complaint with FIPS. If so, would it be possible to get the CMVP number for that? If not, is there any plan to get the certification?

Thanks,
Jerry Chung

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Is fscrypt encryption FIPS compliant?
  2021-05-27 20:08 Is fscrypt encryption FIPS compliant? Jerry Chung
@ 2021-05-28  0:12 ` Eric Biggers
  2021-05-28 13:54   ` Jerry Chung
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2021-05-28  0:12 UTC (permalink / raw)
  To: Jerry Chung; +Cc: linux-fscrypt

On Thu, May 27, 2021 at 08:08:20PM +0000, Jerry Chung wrote:
> Hi Team,
> 
> I am considering to use `fscrypt` to encrypt directory files and just wondered if fscrypt encryption is complaint with FIPS. If so, would it be possible to get the CMVP number for that? If not, is there any plan to get the certification?
> 
> Thanks,
> Jerry Chung

No, there is no plan to certify fscrypt (kernel part or userspace part) as a
FIPS cryptographic module.

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Is fscrypt encryption FIPS compliant?
  2021-05-28  0:12 ` Eric Biggers
@ 2021-05-28 13:54   ` Jerry Chung
  2021-05-28 16:26     ` Jerry Chung
  0 siblings, 1 reply; 6+ messages in thread
From: Jerry Chung @ 2021-05-28 13:54 UTC (permalink / raw)
  To: Eric Biggers; +Cc: linux-fscrypt

Thanks for the information.

jerry
-----Original Message-----
From: Eric Biggers <ebiggers@kernel.org> 
Sent: Thursday, May 27, 2021 8:13 PM
To: Jerry Chung <jchung@proofpoint.com>
Cc: linux-fscrypt@vger.kernel.org
Subject: Re: Is fscrypt encryption FIPS compliant?

On Thu, May 27, 2021 at 08:08:20PM +0000, Jerry Chung wrote:
> Hi Team,
> 
> I am considering to use `fscrypt` to encrypt directory files and just wondered if fscrypt encryption is complaint with FIPS. If so, would it be possible to get the CMVP number for that? If not, is there any plan to get the certification?
> 
> Thanks,
> Jerry Chung

No, there is no plan to certify fscrypt (kernel part or userspace part) as a FIPS cryptographic module.

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Is fscrypt encryption FIPS compliant?
  2021-05-28 13:54   ` Jerry Chung
@ 2021-05-28 16:26     ` Jerry Chung
  2021-05-29  1:25       ` Eric Biggers
  0 siblings, 1 reply; 6+ messages in thread
From: Jerry Chung @ 2021-05-28 16:26 UTC (permalink / raw)
  To: Eric Biggers; +Cc: linux-fscrypt

Hi Eric,

Does fscrypt (kernel part and userspace part) implement any encryptions by itself? Or is it relying on the kernel crypto API?

Thanks,
jerry
-----Original Message-----
From: Jerry Chung 
Sent: Friday, May 28, 2021 9:55 AM
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org
Subject: RE: Is fscrypt encryption FIPS compliant?

Thanks for the information.

jerry
-----Original Message-----
From: Eric Biggers <ebiggers@kernel.org> 
Sent: Thursday, May 27, 2021 8:13 PM
To: Jerry Chung <jchung@proofpoint.com>
Cc: linux-fscrypt@vger.kernel.org
Subject: Re: Is fscrypt encryption FIPS compliant?

On Thu, May 27, 2021 at 08:08:20PM +0000, Jerry Chung wrote:
> Hi Team,
> 
> I am considering to use `fscrypt` to encrypt directory files and just wondered if fscrypt encryption is complaint with FIPS. If so, would it be possible to get the CMVP number for that? If not, is there any plan to get the certification?
> 
> Thanks,
> Jerry Chung

No, there is no plan to certify fscrypt (kernel part or userspace part) as a FIPS cryptographic module.

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Is fscrypt encryption FIPS compliant?
  2021-05-28 16:26     ` Jerry Chung
@ 2021-05-29  1:25       ` Eric Biggers
  2021-05-31 14:30         ` Jerry Chung
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2021-05-29  1:25 UTC (permalink / raw)
  To: Jerry Chung; +Cc: linux-fscrypt

On Fri, May 28, 2021 at 04:26:56PM +0000, Jerry Chung wrote:
> Hi Eric,
> 
> Does fscrypt (kernel part and userspace part) implement any encryptions by
> itself? Or is it relying on the kernel crypto API?
> 
> Thanks,
> jerry

In the kernel part, currently the encryption algorithms are accessed through the
kernel crypto API and/or through blk-crypto (the kernel's interface to inline
encryption hardware).  The hash algorithms SHA-256 and SipHash are accessed
through their library interface.  The key derivation algorithm HKDF is
implemented in fs/crypto/ on top of HMAC-SHA512 from the kernel crypto API.

The userspace tool https://github.com/google/fscrypt (note, this isn't the only
userspace tool that can use the kernel part) uses cryptographic algorithms from
third-party Go packages, which get built into the resulting binary.  See the
source code for details.

Note that these are all implementation details, which may differ in past and
future versions of the software, both kernel and userspace.

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Is fscrypt encryption FIPS compliant?
  2021-05-29  1:25       ` Eric Biggers
@ 2021-05-31 14:30         ` Jerry Chung
  0 siblings, 0 replies; 6+ messages in thread
From: Jerry Chung @ 2021-05-31 14:30 UTC (permalink / raw)
  To: Eric Biggers; +Cc: linux-fscrypt

Thanks a lot for the detail explanation, Eric.

jerry
-----Original Message-----
From: Eric Biggers <ebiggers@kernel.org> 
Sent: Friday, May 28, 2021 9:26 PM
To: Jerry Chung <jchung@proofpoint.com>
Cc: linux-fscrypt@vger.kernel.org
Subject: Re: Is fscrypt encryption FIPS compliant?

On Fri, May 28, 2021 at 04:26:56PM +0000, Jerry Chung wrote:
> Hi Eric,
> 
> Does fscrypt (kernel part and userspace part) implement any 
> encryptions by itself? Or is it relying on the kernel crypto API?
> 
> Thanks,
> jerry

In the kernel part, currently the encryption algorithms are accessed through the kernel crypto API and/or through blk-crypto (the kernel's interface to inline encryption hardware).  The hash algorithms SHA-256 and SipHash are accessed through their library interface.  The key derivation algorithm HKDF is implemented in fs/crypto/ on top of HMAC-SHA512 from the kernel crypto API.

The userspace tool https://urldefense.com/v3/__https://github.com/google/fscrypt__;!!ORgEfCBsr282Fw!57nse74kKZWgPBVTybhzV_-lLBRUeyq3AyR5Ixx2_qIuPXL2aWTxpZBkKmj0Ze2kIQ$  (note, this isn't the only userspace tool that can use the kernel part) uses cryptographic algorithms from third-party Go packages, which get built into the resulting binary.  See the source code for details.

Note that these are all implementation details, which may differ in past and future versions of the software, both kernel and userspace.

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-31 14:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-27 20:08 Is fscrypt encryption FIPS compliant? Jerry Chung
2021-05-28  0:12 ` Eric Biggers
2021-05-28 13:54   ` Jerry Chung
2021-05-28 16:26     ` Jerry Chung
2021-05-29  1:25       ` Eric Biggers
2021-05-31 14:30         ` Jerry Chung

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.