Improved Fscrypt File Encryption Handling Aims For Linux 5.4

Fscrypt is the common Linux kernel framework leveraged by the likes of the EXT4, F2FS, and UBIFS file-systems for providing native encryption support. While that Fscrypt-based file encryption has been part of the kernel for several releases now, there's been some shortcomings in how the encryption keys are handled but that should be cleared up for the upcoming Linux 5.4 cycle.

Eric Biggers of Google has been working to improve the key management for fscrypt. The solution he's been working on for a while is support for a file-system level key-ring with ioctls that allows keys to be easily added and removed.

The issues being addressed by this code are avoiding bugs in how fscrypt is currently abusing an OS-level access control mechanism, no current ability to properly remove a key, weaknesses in the key derivation function, and fscrypt not checking that the correct key was supplied as a current security vulnerability.

More details on this code still being worked on but will hopefully be ready for Linux 5.4 can be found via this message.