4

One can set the "encrypt" feature on an ext4 filesystem with:

tune2fs -O encrypt /dev/device

  1. How much overhead is with ext4 encryption?

  2. If the user no longer needs encryption on this filesystem, is it possible to turn if off? (The man page of tune2fs says currently only setting this feature is supported.)

  3. If the user decides a previously encrypted directory should not be encrypted any more, is it possible to disable encryption on this directory in-place, while keeping other encrypted directories intact?

Improve this question

2 Answers 2

Reset to default
3

  1. Not much, but specifics depend on the encryption used, the CPU etc.

  2. tune2fs doesn’t support disabling encryption, but it can be done with debugfs:

    debugfs -w -R "feature -encrypt" /dev/...

    Make sure you run fsck before and after, and that you don’t have any encrypted files you care about (fscrypt status /home will count the protectors throughout /home).

  3. Apparently not, you need to copy the files from the encrypted (and unlocked) directory to another, non-encrypted directory.

Improve this answer
4
  • I'm not sure if there is a strong reason why tune2fs doesn't allow flag removal; guess it could be simply due to confusion, since forcefully removing the flag does not actually stop the encryption at all. Commented May 12, 2020 at 10:59
  • Also both mke2fs and tune2fs have code to set additional flags (encryption algorithm) in the superblock when enabling the feature; debugfs does not and simply ignores the clear flag restrictions. So there is no deliberate implementation of this feature in debugfs and enabling the flag with it doesn't do the same thing as mke2fs/tune2fs either. Commented May 12, 2020 at 11:02
  • About Answer 2: Having to run fsck makes that command look really risky. And I assume that command simply disables encryption/decryption processing by removing a flag, but encryption-related metadata (nonces, etc.) are still kept on the filesystem? Commented May 12, 2020 at 20:41
  • It’s just a precaution. I imagine the flag is only toggled, and all the data remains, but I haven’t checked. (It might be the case that fsck clears any encrypted data if the flag is disabled, although I don’t see anything like that in the source code so I suspect it doesn’t.) Commented May 12, 2020 at 21:03
0

Not with tune2fs, apparently. So, guess not.

# tune2fs -O ^encrypt /dev/loop0 tune2fs 1.45.6 (20-Mar-2020) Clearing filesystem feature 'encrypt' not supported.

Also, note that this flag does not encrypt your filesystem. It merely adds support so you can setup encryption keys and policies for empty directories with e4crypt. On a filesystem without the encrypt feature, e4crypt will fail with "Operation not supported" error.

If the user decides a previously encrypted directory should not be encrypted any more

You have to copy files from encrypted directory to unencrypted one.

Improve this answer
1
  • What would be your answer to Question 1, in terms of space overhead? My test shows each encrypted file is 4096-byte larger than an unencrypted one. Do we need to store more than a 16-byte nonce for each file? Commented May 20, 2020 at 10:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.