How To F2FS Filesystem Encryption?

up vote
1
down vote

favorite

I read that the f2fs format is good for SSD storage so I formatted one of my drives with it. I also read in some kernel notes that encryption was added for it but there's no documentation to speak of. I typically prefer whole disk encryption. I'm not sure if that's possible for f2fs.

I'm wondering if anyone knows any steps in which I might be able to encrypt an f2fs drive. I know it's done on Android for their full drive encryption (I'm running Ubuntu). Is LUKS filesystem agnostic? I don't think so. Any encryption would be good.

No docs == no good.

Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

That's the thing. I'm not sure because he says "I know about eCryptFS, LUKES and encfs" and I don't know what the kernel updates apply or how to go about learning to use them, whether it's per-file/dir encryption, full-disk or both. There's just nothing to reference that I can find.
– xendi
Dec 25 '16 at 21:48

I suppose if the answer that was given about LUKS means I can use LUKS with my F2FS drive then that will do but I want to know about the kernel updates.
– xendi
Dec 25 '16 at 21:51

I do not know why someone down voted this question. It might not have the best phrasing, but is no duplicate to the other, as the other wants to encrypt only parts of the file system and this question is about encrypting the whole FS. It is also not related to LUKS, because as far as I can tell, f2fs has a seperate encryption method which is not related to LUKS. What I do not know, is if this method of f2fs can be applied to a whole filesystem and not just to all parts.
– JepZ
Apr 29 '17 at 12:58

add a comment |

up vote
1
down vote

favorite

No docs == no good.

Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

That's the thing. I'm not sure because he says "I know about eCryptFS, LUKES and encfs" and I don't know what the kernel updates apply or how to go about learning to use them, whether it's per-file/dir encryption, full-disk or both. There's just nothing to reference that I can find.
– xendi
Dec 25 '16 at 21:48

I suppose if the answer that was given about LUKS means I can use LUKS with my F2FS drive then that will do but I want to know about the kernel updates.
– xendi
Dec 25 '16 at 21:51

I do not know why someone down voted this question. It might not have the best phrasing, but is no duplicate to the other, as the other wants to encrypt only parts of the file system and this question is about encrypting the whole FS. It is also not related to LUKS, because as far as I can tell, f2fs has a seperate encryption method which is not related to LUKS. What I do not know, is if this method of f2fs can be applied to a whole filesystem and not just to all parts.
– JepZ
Apr 29 '17 at 12:58

add a comment |

up vote
1
down vote

favorite

No docs == no good.

Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

No docs == no good.

Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html

encryption disk-encryption f2fs

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

edited Dec 25 '16 at 21:21

asked Dec 24 '16 at 16:06

xendi

297213

asked Dec 24 '16 at 16:06

xendi

297213

asked Dec 24 '16 at 16:06

xendi

297213

That's the thing. I'm not sure because he says "I know about eCryptFS, LUKES and encfs" and I don't know what the kernel updates apply or how to go about learning to use them, whether it's per-file/dir encryption, full-disk or both. There's just nothing to reference that I can find.
– xendi
Dec 25 '16 at 21:48

I suppose if the answer that was given about LUKS means I can use LUKS with my F2FS drive then that will do but I want to know about the kernel updates.
– xendi
Dec 25 '16 at 21:51

I do not know why someone down voted this question. It might not have the best phrasing, but is no duplicate to the other, as the other wants to encrypt only parts of the file system and this question is about encrypting the whole FS. It is also not related to LUKS, because as far as I can tell, f2fs has a seperate encryption method which is not related to LUKS. What I do not know, is if this method of f2fs can be applied to a whole filesystem and not just to all parts.
– JepZ
Apr 29 '17 at 12:58

add a comment |

That's the thing. I'm not sure because he says "I know about eCryptFS, LUKES and encfs" and I don't know what the kernel updates apply or how to go about learning to use them, whether it's per-file/dir encryption, full-disk or both. There's just nothing to reference that I can find.
– xendi
Dec 25 '16 at 21:48

I suppose if the answer that was given about LUKS means I can use LUKS with my F2FS drive then that will do but I want to know about the kernel updates.
– xendi
Dec 25 '16 at 21:51

I do not know why someone down voted this question. It might not have the best phrasing, but is no duplicate to the other, as the other wants to encrypt only parts of the file system and this question is about encrypting the whole FS. It is also not related to LUKS, because as far as I can tell, f2fs has a seperate encryption method which is not related to LUKS. What I do not know, is if this method of f2fs can be applied to a whole filesystem and not just to all parts.
– JepZ
Apr 29 '17 at 12:58

That's the thing. I'm not sure because he says "I know about eCryptFS, LUKES and encfs" and I don't know what the kernel updates apply or how to go about learning to use them, whether it's per-file/dir encryption, full-disk or both. There's just nothing to reference that I can find.
– xendi
Dec 25 '16 at 21:48

I suppose if the answer that was given about LUKS means I can use LUKS with my F2FS drive then that will do but I want to know about the kernel updates.
– xendi
Dec 25 '16 at 21:51

I do not know why someone down voted this question. It might not have the best phrasing, but is no duplicate to the other, as the other wants to encrypt only parts of the file system and this question is about encrypting the whole FS. It is also not related to LUKS, because as far as I can tell, f2fs has a seperate encryption method which is not related to LUKS. What I do not know, is if this method of f2fs can be applied to a whole filesystem and not just to all parts.
– JepZ
Apr 29 '17 at 12:58

add a comment |

2 Answers
2

active

oldest

votes

up vote
1
down vote

LUKS is filesystem agnostic. It works at a lower level than the filesystem. LUKS is how Android does full disk encryption.

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

1

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51

|
show 3 more comments

up vote
0
down vote

Out of f2fscrypt man page:

# mkfs.f2fs -O encrypt /dev/sdxx
# mount /dev/sdxx /encrypted/
# mkdir /encrypted/dir

First create the key in the keyring use an simple salt
(or generate a random salt).
Then use it to set the policy for the directory to be encrypted.

# f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]

# f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.

# touch /encrypted/dir/test.txt
# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt

After each reboot, the same command can be used set the key for
decryption of the directory and its descendants.

# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 zbx7tsUEMLzh+AUVMkQcnB

# f2fscrypt get_policy /encrypted/dir/
/encrypted/dir/: 28e21cc0c4393da1

# f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]

# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt

Show process keyrings.

# keyctl show
Session Keyring
084022412 --alswrv 0 0 keyring: _ses
204615789 --alswrv 0 65534 _ keyring: _uid.0
529474961 --alsw-v 0 0 _ logon: f2fs:28e21cc0c4393da1

Figuring out how to implement this in boottime

answered Nov 24 at 1:04

xtf

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f332554%2fhow-to-f2fs-filesystem-encryption%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

up vote
1
down vote

LUKS is filesystem agnostic. It works at a lower level than the filesystem. LUKS is how Android does full disk encryption.

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

1

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51

|
show 3 more comments

up vote
1
down vote

LUKS is filesystem agnostic. It works at a lower level than the filesystem. LUKS is how Android does full disk encryption.

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

1

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51

|
show 3 more comments

up vote
1
down vote

LUKS is filesystem agnostic. It works at a lower level than the filesystem. LUKS is how Android does full disk encryption.

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

LUKS is filesystem agnostic. It works at a lower level than the filesystem. LUKS is how Android does full disk encryption.

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

answered Dec 25 '16 at 0:34

Gilles

523k12610421575

1

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51

|
show 3 more comments

1

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51

Right but I'm not just asking about LUKS. I saw in linux kernel update that F2FS encryption has been added in some fashion. Anything secure would be great but there are no docs on how.
– xendi
Dec 25 '16 at 21:17

So I should just be able to follow the LUKS procedure on an F2FS formatted drive?
– xendi
Dec 25 '16 at 21:50

LUKS would apparently render F2FS useless, hence why we need to use file/dir encryption now provided link
– xendi
Dec 25 '16 at 22:05

@xendi You can use LUKS with F2FS. You create the LUKS container first and then the filesystem, just like with any other filesystem. LUKS does work with TRIM and it doesn't “make F2FS useless”. The point of encryption on top of F2FS is if you want per-file encryption, i.e. if you don't want full disk encryption.
– Gilles
Dec 25 '16 at 22:55

We want to keep TRIM features :(
– xendi
Apr 29 '17 at 18:51