Re: overlayfs vs. fscrypt
From: Eric Biggers
Date: Wed Mar 13 2019 - 18:13:32 EST
On Wed, Mar 13, 2019 at 02:04:29PM -0700, James Bottomley wrote:
> On Wed, 2019-03-13 at 13:25 -0700, Eric Biggers wrote:
> > On Wed, Mar 13, 2019 at 01:06:06PM -0700, James Bottomley wrote:
> > > On Wed, 2019-03-13 at 12:57 -0700, Eric Biggers wrote:
> [...]
> > > > fscrypt would allow the data to be stored encrypted on the local
> > > > disk, so it's protected against offline compromise of the disk.
> > >
> > > Container images are essentially tars of the overlays. They only
> > > become actual filesystems when instantiated at runtime. The
> > > current encrypted container image is an overlay or set of overlays
> > > which is tarred then encrypted. So to instantiate it is decrypted
> > > then untarred.
> > >
> > > The thing I was wondering about was whether instead of a tar
> > > encrypt we could instead produce an encrypted image from a fscrypt
> > > filesystem.
> > >
> >
> > Why do you care whether the container image is encrypted on the local
> > disk, when you're extracting it in plaintext onto the local disk
> > anyway each time it runs? Even after the runtime files are "deleted",
> > they may still be recoverable from the disk. Are you using shred and
> > BLKSECDISCARD, and a non-COW filesystem?
> >
> > Now, if you wanted to avoid writing the plaintext to disk entirely
> > (and thereby use encryption to actually achieve a useful security
> > property that can't be achieved through file permissions), fscrypt is
> > a good solution for that.
>
> OK let's start with a cloud and container 101: A container is an
> exactly transportable IaaS environment containing an application. The
> format for the exact transport is the "container image" I've been
> describing (layered tar file set deployed with overlays). These images
> are usually stored in cloud based registries which may or may not have
> useful access controls. I take it the reason for image encryption to
> protect confidentiality within the registry is obvious.
>
> Because of the exact transport, the deployment may be on my laptop, on
> my test system or in some type of public or private cloud. In all
> cases bar the laptop, I won't actually own the physical system which
> ends up deploying the container. So in exchange for security
> guarantees from the physical system owner, I agree to turn over my
> decryption key and possibly a cash payment. One of these guarantees is
> usually that they shred the key after use and that they deploy a useful
> key escrow system like vault or keyprotect to guard it even while the
> decryption is being done.
> Another is that all traces of the container be shredded after the execution is
> finished.
Well, sounds like that's not the case currently even with an encrypted container
image, because the actual runtime files are not encrypted on disk. Encrypting
the runtime files using fscrypt with an ephemeral key would be useful here.
IOW, randomly generate an encryption key when the container starts, never store
it anywhere, and wipe it when the container stops.
Note that this is separate from the container *image* encryption.
> considering is could I be protected against either cloud provider
> cockups that might leak the image (the misconfigured backup scenario I
> suggested) or malicious actions of other tenants.
If the container image is encrypted with a key not on the system, then its
confidentiality is protected from anything that may happen on that system.
But if the container image encryption key *is* on the system, your container
image may be leaked either accidentally or maliciously.
- Eric