Repository files navigation

Linux kernel 4.1 introduced native encryption for the ext4 filesystem.

This is a userspace tool to manage encrypted ext4 directories.

Warning: this kernel feature is very unstable and experimental at the moment. I managed to crash my kernel (4.1.2) a few times very easily just by playing with it.

The target directory must be empty.

$mkdir vault$ext4-crypt create vaultEnter passphrase:Confirm passphrase:vault: Encryption policy is now set.$ext4-crypt status vaultPolicy version:   0Filename cipher:  aes-256-ctsContents cipher:  aes-256-xtsFilename padding: 4Key descriptor:   qC6PCZsFKey serial:       351198062

$ls vaultFTRsD7y2dUyXl6e8omKYbB  IdLqPffZBKSebTeh6hZI7C  tReYAc2tKyIOHSIcaSV2DB$ext4-crypt attach vaultEnter passphrase:$ls vaultfstab  passwd  services

cmake.makesudo make install

Distribution packages could be provided later if deemed useful.

Linux kernel 4.1+ with support forCONFIG_EXT4_ENCRYPTION.

So basically, any passphrase you provide will be accepted, but you'll get junkif you provide the wrong key. This is currently a limitation of the kernelimplementation.

Cipher is hardcoded to be AES-256-XTS for data and AES-256-CTS for filenames.More ciphers will probably be available in future kernel versions.

The encryption policy is stored at the inode level and cannot be removed fromuserspace. You'll need to provide the right key and copy the data to anotherdirectory if you want to remove the encryption.

That is a kernel issue. The dentries cache is not invalidated when you remove the key and still contains the plaintext filenames.

You must remount the device or force a filesystem cache flush with:

#echo 2> /proc/sys/vm/drop_caches

• libkeyutils
• libsodium