Re: ecryptfs is unmaintained and untested

Next message: Petre Rodan: "Re: [PATCH v4 07/19] iio: accel: bma220: split original driver"
Previous message: Charles Mirabile: "Re: [PATCH v3 3/3] irqchip/plic: add support for UltraRISC DP1000 PLIC"
In reply to: Theodore Ts'o: "Re: ecryptfs is unmaintained and untested"
Next in thread: Eric Biggers: "Re: ecryptfs is unmaintained and untested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin Steigerwald

Date: Tue Oct 14 2025 - 12:52:13 EST

Hi.

Theodore Ts'o - 14.10.25, 16:39:16 CEST:
> This is probably because for many desktop and server configurations,
> using dm-crypt is actually better suited and more secure. It
> certainly doesn't solve the "just encrypt a directory hierarchy in a
> file system" and the "support multiple users' who might have different
> encryption keys and which are mutually suspicious" use cases. But
> this appears to not be sufficiently interesting for distributions to
> do that integration work.

If it is just about encrypting a sub directory of the home directory there
has been work to support that on Plasma desktop via Plasma Vault. It
supports CryFS as default, EncFS (with a security warning about it) and
gocryptfs. CryFS is interesting as it also obfuscates the directory
hierarchy as well as object names. All of them are FUSE filesystems.

Maybe one of these – excluding EncFS – could be used for encrypting the
complete home directory of a user. Preferably CryFS maybe. But I bet it
will be quite a bit slower than ecryptfs¹. And I am not aware of any other
desktop or distribution integration work regarding CryFS, gocryptfs or
another alternative.

[1] "The increase in security when compared to other file systems comes at
a performance cost. CryFS is fast enough to be used in practice. I'm
getting a read speed to 170MB/s and a write speed of 80MB/s on my SSD
machine, but other file systems are even faster."

https://www.cryfs.org/comparison

Best,
--
Martin