Re: Idea behind EXT4_IOC_GET_ENCRYPTION_PWSALT?

From: Joe Richey
Date: Tue Nov 29 2016 - 19:45:00 EST


Richard,

Our current design for fscrypt (tentative name for the userspace
filesystem encryption manager) does not use the global filesystem salt
(EXT4_IOC_GET_ENCRYPTION_PWSALT), we are planning on having a
different salt for each password used in the system. We are using
planning on using Argon2id as the password stretching algorithm, so
we'll have costs for memory, time, and parallelism stored for each
password as well as a salt.

I can't speak to other uses of the ioctl.

Joe


On Tue, Nov 29, 2016 at 1:30 PM, Richard Weinberger <richard@xxxxxx> wrote:
> Hi!
>
> As the subject states, I'm a bit confused wrt. EXT4_IOC_GET_ENCRYPTION_PWSALT.
> Will common fscrypt userspace depend on it?
>
> IIUC you want to store some salt to seed the user password.
> But what if /home/rw and /home/dags have different keys? Is it okay
> to use the same salt for both keys?
> Or is it an ad-hoc solution to allow an encrypted filesystem root
> because you need a way to store the seed on the same filesystem but not as
> file since all files are encrypted?
> Wouldn't a xattr stored in the filesystem root directory also do it?
>
> Long story short, I'm not sure whether we really need this ioctl command
> in UBIFS and what the designated semantics are. :-)
>
> Thanks,
> //richard
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature