Improved Fscrypt Sent In For Linux 5.4 To Offer Better Native File Encryption Handling

In addition to submitting the FS-VERITY file authentication code for Linux 5.4, Google's Eric Biggers has sent out his big update to the fscrypt file encryption framework for this next kernel revision.

Fscrypt as a reminder is a kernel framework providing native file encryption support to file-systems. Currently Fscrypt is used by EXT4, F2FS, and UBIFS while being used by Google for at least new Android use-cases. Fscrypt has been around for several kernel cycles now but for Linux 5.4 is seeing its first big update.

The code proposed for Linux 5.4 better deals with Fscrypt key management and other issues that have come up in the early adoption of this file encryption support. Biggers noted some of the specific improvements:

- Add ioctls that add/remove encryption keys to/from a filesystem-level keyring. These fix user-reported issues where e.g. an encrypted home directory can break NetworkManager, sshd, Docker, etc. because they don't get access to the needed keyring. These ioctls also provide a way to lock encrypted directories that doesn't use the vm.drop_caches sysctl, so is faster, more reliable, and doesn't always need root.

- Add a new encryption policy version ("v2") which switches to a more standard, secure, and flexible key derivation function, and starts verifying that the correct key was supplied before using it. The key derivation improvement is needed for its own sake as well as for ongoing feature work for which the current way is too inflexible.

The Linux desktop and Android user-space software is still being updated to make use of the new/improved functionality. More details via the pull request.