what is difference between linux kernel subsystem dm-crypt and ecryptfs?

Question

I was trying to read the source of ecryptfs in linux. Could anyone help me to explain the distinguish between linux kernel subsystem dm-crypt and ecryptfs. Is there any reference books that introduce source of ecryptfs. thanks for helping me .

Answer 1

dm-crypt and eCryptfs are both features tightly integrated inside of the Linux kernel, that encrypt data at rest. Both have been upstream in the Linux kernel since at least 2006, and are heavily used by consumers and enterprises. The approach each takes, though, is quite different.

dm-crypt provides "block" level encryption. With dm-crypt, the Linux kernel creates an entire encrypted block device, which can then be used like any other block device in the system. It can be partitioned, carved into an LVM, RAID, or used directly as a disk. This does mean, however, that you have to decide to use encryption up front, and pre-allocate the space up front, and then create and format a filesystem. It's extremely fast and efficient, especially when your CPU supports Intel's AES-NI cryptographic acceleration on the CPU. However, there is only a single key used for the entire block device. As such, it's a bit of a blunt, all-or-nothing approach to encryption.

eCryptfs provides "per-file" encryption. eCryptfs is a fully POSIX-compliant stacked filesystem for Linux. eCryptfs stores metadata in the header of each file, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of "GnuPG as a filesystem". Different files can be encrypted with different keys, and filenames can optionally be encrypted. File attributes, however, are not masked, so an attacker could see the approximate size of a file, its ownerships, permissions, and timestamps. Since eCryptfs is a layered filesystem, you don't have to pre-allocate the space ahead of time. You just mount one directory on top of another (a little like NFS); all data written to and read from the upper directory (assuming you have the key) looks like plaintext data, but all of the data is encrypted before it's written to disk below as ciphertext. Since eCryptfs has to process keys and metadata on a per-file basis, it performs a little slower than dm-crypt on saturated reads and writes.

Most Linux distributions support dm-crypt to some extent in their installers, as well as Android. You can use dm-crypt to encrypt the entire device or root installation of a desktop, tablet, phone, or server, but this typically means that the system can no longer boot unattended, as you will need to interactively enter a passphrase at boot.

For this reason, Ubuntu added support for eCryptfs in its installer, enabling users to encrypt only sensitive parts of the disk, such as their home directories, and leveraging the user's login passphrase to unwrap a special, long, randomly generated key. Approximately 3 million Ubuntu users leverage eCryptfs to encrypt their home directory. Some commercial network attached storage devices, such as Synology, use eCryptfs to encrypt the data at rest. And every Google Chromebook device uses eCryptfs to secure and encrypt the user's local cache and credentials at rest.

Full disclosure: I am one of the authors and maintainers of eCryptfs.