home.social

#fscrypt — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #fscrypt, aggregated by home.social.

  1. @Sigma I understand. Without any real documented alternatives and migration paths, changes like this can be expected to trip up people though 🙃

    - #fscrypt only supports some filesystems, setup and migration seem very manual and tedious, no #nixos wiki page or writeups
    - #gocryptfs is FUSE, but also seems tedious, nothing for nixos either
    - #CryFS is totally not designed for homedir encryption (though someome tried but stopped).

  2. @Sigma I understand. Without any real documented alternatives and migration paths, changes like this can be expected to trip up people though 🙃

    - only supports some filesystems, setup and migration seem very manual and tedious, no wiki page or writeups
    - is FUSE, but also seems tedious, nothing for nixos either
    - is totally not designed for homedir encryption (though someome tried but stopped).

  3. @Sigma I understand. Without any real documented alternatives and migration paths, changes like this can be expected to trip up people though 🙃

    - #fscrypt only supports some filesystems, setup and migration seem very manual and tedious, no #nixos wiki page or writeups
    - #gocryptfs is FUSE, but also seems tedious, nothing for nixos either
    - #CryFS is totally not designed for homedir encryption (though someome tried but stopped).

  4. @Sigma I understand. Without any real documented alternatives and migration paths, changes like this can be expected to trip up people though 🙃

    - #fscrypt only supports some filesystems, setup and migration seem very manual and tedious, no #nixos wiki page or writeups
    - #gocryptfs is FUSE, but also seems tedious, nothing for nixos either
    - #CryFS is totally not designed for homedir encryption (though someome tried but stopped).

  5. @Sigma I understand. Without any real documented alternatives and migration paths, changes like this can be expected to trip up people though 🙃

    - #fscrypt only supports some filesystems, setup and migration seem very manual and tedious, no #nixos wiki page or writeups
    - #gocryptfs is FUSE, but also seems tedious, nothing for nixos either
    - #CryFS is totally not designed for homedir encryption (though someome tried but stopped).

  6. #askfedi To my fellow nerds out there, is #btrfs not properly compatible with #fscrypt on #Fedora 42 using #systemd-homed yet or did I just fuck something up? Luks works well and is more secure because it encrypts metadata but I really wanted to try dynamic encrypted home directories.

  7. In Linux 6.7 More Adaptable For Inline Encryption Hardware

    phoronix.com/news/Linux-6.7-FS

  8. Sweet Tea Dorminy submitted an patch-set adding an encryption feature to : lore.kernel.org/all/cover.1687

    ```This is a changeset adding encryption to btrfs. It is not complete; it does not support inline data or verity or authenticated encryption. It is primarily intended as a proof that the fscrypt extent encryption changeset it builds on work.```

    For the mentioned changes see:
    lore.kernel.org/linux-fscrypt/

  9. Hm, interesting, #fedora seems to be moving to full-disk-encryption using #btrfs and #fscrypt by default, along with signing unified kernel images (UKIs) and using the #TPM. No measuring/attestation AFAICT yet, but a very good move forward!

    They also want to separately encrypt homes, and even mention #systemd #homed in the Pagure:
    pagure.io/fedora-workstation/b
    However they write:

    > *It cannot be universal for all Fedora systems - some things like NFS home directories are out of scope for systemd-homed. Logging in remotely via ssh is not supported. (???)*

    I'm pretty sure ssh is supported and even documented, and #NFS should be of no business to homed? But NFS+automount should work perfectly fine with #homed, or did I misunderstand something?

    Maybe someone with more knowledge than me should chip in, otherwise they will re-invent the wheel (and doing separately encrypted homes is hard to do correctly!)

  10. Support for SM4 encryption in was merged for 6.2 as part of the fscrypt updates, but the maintainer recommends against using it: git.kernel.org/torvalds/c/8129