Open Bios-Marcel opened 2 months ago
Hi there, very interesting use of this project. However, I'm not sure if atomicity is something that we can ever achieve. I mean... it's a filesystem and not a database.
The exception you're seeing makes sense. It means that the file/chunk cannot be authenticated, see file content encryption. The file/chunk was probably unable to finish writing and killed during the process, which would screw up the authentication tag, necessary for GCM.
What you're seeing is basically a broken file. Something that would also occur, when dealing with "regular" filesystems in such a scenario. The only difference is that cryptofs fails to deliver the contents of a file, if something goes wrong during decryption. #4 may be something that you're looking for, but was closed due to the introduction of GCM.
To be honest, this is where my knowledge about all this ends. You may have to catch the AuthenticationFailedException
and somehow deal with unreadable files.
Maybe someone else can chime in on more specifics, not sure if I got something wrong.
Well, after thinking about it, it makes sense that this does not work.
Maybe our usecase is just not a good idea.
@tobihagemann atomicity is not something a file system can provide, i think.
but even if it could, it would not solve the above issue. even atomic operations will fail, if power was cut in the middle of them.
isn't this issue rather about failure recovery? what is, for example, cryptofs stopping from ignoring broken files instead of bringing the whole file system down, just because one file could not be authenticated?
but even if it could, it would not solve the above issue. even atomic operations will fail, if power was cut in the middle of them.
I agree.
what is, for example, cryptofs stopping from ignoring broken files instead of bringing the whole file system down, just because one file could not be authenticated?
Oh yeah, that's what I've got wrong. So... nothing, because this should already be the case. This exception doesn't bring the whole file system down. 😄 But the exception is obviously still reported.
Or what am I missing here?
Oh yeah, that's what I've got wrong. So... nothing, because this should already be the case. This exception doesn't bring the whole file system down. 😄 But the exception is obviously still reported.
Yes, I think it is simply failing to read specific files. The filesystem as a whole is still functional, I have tested that. But even so, we can't really do anything here.
Oh yeah, that's what I've got wrong
I did not mean to insult your intelligence, only looking for potential solutions here.
Hey,
We are currently trying to use cryptofs as the backing filesystem for https://github.com/eclipse-store.
EclipseStore offers a type of transaction object, where you can
store
multiple things and thencommit
them, flushing them to the storage target.In this scenario the storage target is a cryptofs instance. When killing the JVM abruptly (not graceful), this will cause broken files that can't be decrypted anymore.
I have created a reproducer repo here:
https://github.com/Bios-Marcel/cryptofs_bug_reproducer
You can switch between the uncrypted and encrypted versions of the reproducer by commenting / uncommenting the respective first line in
EclipseStoreMain
.To cause the issue, you need to kill the JVM after the console puts out
Committing
, but before it saysCommitted
. Given that cryptofs is a filesystem abstraction, I am doubting that EclipseStore does anything wrong here, especially since there is no issue in reading / writing the data without encryption.Here's the exception: