Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

what is difference between linux kernel subsystem dm-crypt and ecryptfs? [closed]

I was trying to read the source of ecryptfs in linux. Could anyone help me to explain the distinguish between linux kernel subsystem dm-crypt and ecryptfs. Is there any reference books that introduce source of ecryptfs. thanks for helping me .

like image 551
user2672048 Avatar asked Aug 14 '13 11:08

user2672048


People also ask

What is Linux DM-crypt?

Dm-crypt is a Linux kernel-level encryption mechanism that allows users to mount an encrypted file system. Mounting a file system is the process in which a file system is attached to a directory (mount point), which makes it available to the operating system.

What is Luks and DM-crypt?

Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy. LUKS uses the kernel device mapper subsystem via the dm-crypt module.


1 Answers

dm-crypt and eCryptfs are both features tightly integrated inside of the Linux kernel, that encrypt data at rest. Both have been upstream in the Linux kernel since at least 2006, and are heavily used by consumers and enterprises. The approach each takes, though, is quite different.

dm-crypt provides "block" level encryption. With dm-crypt, the Linux kernel creates an entire encrypted block device, which can then be used like any other block device in the system. It can be partitioned, carved into an LVM, RAID, or used directly as a disk. This does mean, however, that you have to decide to use encryption up front, and pre-allocate the space up front, and then create and format a filesystem. It's extremely fast and efficient, especially when your CPU supports Intel's AES-NI cryptographic acceleration on the CPU. However, there is only a single key used for the entire block device. As such, it's a bit of a blunt, all-or-nothing approach to encryption.

eCryptfs provides "per-file" encryption. eCryptfs is a fully POSIX-compliant stacked filesystem for Linux. eCryptfs stores metadata in the header of each file, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of "GnuPG as a filesystem". Different files can be encrypted with different keys, and filenames can optionally be encrypted. File attributes, however, are not masked, so an attacker could see the approximate size of a file, its ownerships, permissions, and timestamps. Since eCryptfs is a layered filesystem, you don't have to pre-allocate the space ahead of time. You just mount one directory on top of another (a little like NFS); all data written to and read from the upper directory (assuming you have the key) looks like plaintext data, but all of the data is encrypted before it's written to disk below as ciphertext. Since eCryptfs has to process keys and metadata on a per-file basis, it performs a little slower than dm-crypt on saturated reads and writes.

Most Linux distributions support dm-crypt to some extent in their installers, as well as Android. You can use dm-crypt to encrypt the entire device or root installation of a desktop, tablet, phone, or server, but this typically means that the system can no longer boot unattended, as you will need to interactively enter a passphrase at boot.

For this reason, Ubuntu added support for eCryptfs in its installer, enabling users to encrypt only sensitive parts of the disk, such as their home directories, and leveraging the user's login passphrase to unwrap a special, long, randomly generated key. Approximately 3 million Ubuntu users leverage eCryptfs to encrypt their home directory. Some commercial network attached storage devices, such as Synology, use eCryptfs to encrypt the data at rest. And every Google Chromebook device uses eCryptfs to secure and encrypt the user's local cache and credentials at rest.

Full disclosure: I am one of the authors and maintainers of eCryptfs.

like image 92
Dustin Kirkland Avatar answered Sep 21 '22 08:09

Dustin Kirkland