Closed pandiaraj88 closed 1 year ago
josephlr
commented
1 year ago I'm a little confused by this issue. Is this requesting a particular feature to be implemented in this tool? Or is this about the kernel API for the filesystem encryption subsystem?
ebiggers
commented
1 year ago First, this sounds like a kernel feature request. This git repo is just for the fscrypt userspace tool, not for the Linux kernel side of filesystem encryption (which is also sometimes called "fscrypt"). Discussions about the kernel should happen on the Linux mailing list linux-fscrypt@vger.kernel.org.
Second, I've already been working on something that achieves this property. See https://lore.kernel.org/linux-fscrypt/20220927014718.125308-1-ebiggers@kernel.org/T/#u. If you'd like to comment on that proposal, please do so on the mailing list.
In fscrypt, master key is received from userspace and actual encryption keys are derived from this master key using KDF. If any other process is able to get hold of the master key, they can unlock the encrypted directory and access the contents. It is upto the user space to avoid these using any access control or ownership restrictions. Instead of leaving this to user space, we are thinking of ways to achieve this functionality from kernel side adding additional secure params.