2

I'm trying to understand e4crypt and fscrypt, and also how they differ. But it is hard to find documentation on e4crypt other than the command line tool man page and some old tutorials.

Is there any documentation on how the kernel side of things work?
I'm mainly interested in the higher level stuff: what is stored where?
The applicable policy and crypto options/algorithm need to be stored somewhere. (In the inode? extended atributes? Of every file or just the root encrypted directory?)

Also the fscrypt documentation says fscrypt is a kernel-level library that filesystems can use to implement encryption. Does that mean that e4crypt encryption has a separate implementation or do they use the same implementation for the low level encryption stuff?

Improve this question

1 Answer 1

Reset to default
2

Native filesystem encryption is supported since Linux-4.1
The kernel level is nowadays implemented in the fs/crypto directory of the kernel source tree and commonly referred as fscrypt.

e4crypt, part of the e2fsprogs package, is the initial userspace tool that relies on the native ext4 filesystem encryption. It was (since it is not longer actively developed) a basic low-level tool.
It is indeed poorly documented (even the code is) only some "small howto" being reported.

fscrypt is also the name of a high-level tool for the management of Linux native filesystem encryption.
Designed by google in the intend to "supersede e4crypt".

To answer your questions in short :

  • e4crypt, as a userspace tool has got no other "kernel side" that the kernel's native filesystem implementation it accesses via syscalls (look at lines 92 & 101)
  • e4crypt relies on the same native implementation of the linux native filesystem encryption as the fscypt utility from google does.
Improve this answer
1
  • 1
    Great. My followup question then was where different behaviors come from, e.g. e4crypt storing keys in the kernel keyring while fscrypt does not. But it turns out those are differences between the v1 policy and v2 policy that the kernel api supports, and is documented in the details of the fscrypt api you linked. Commented May 6, 2024 at 10:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.