I was trying to read the source of ecryptfs in linux. Could anyone help me to explain the distinguish between linux kernel subsystem dm-crypt and ecryptfs. Is there any reference books that introduce source of ecryptfs. thanks for helping me .
what is difference between linux kernel subsystem dm-crypt and ecryptfs?
10.4k views Asked by user2672048 At
1
There are 1 answers
Related Questions in C
- How to call a C language function from x86 assembly code?
- What does: "char *argv[]" mean?
- User input sanitization program, which takes a specific amount of arguments and passes the execution to a bash script
- How to crop a BMP image in half using C
- How can I get the difference in minutes between two dates and hours?
- Why will this code compile although it defines two variables with the same name?
- Compiling eBPF program in Docker fails due to missing '__u64' type
- Why can't I use the file pointer after the first read attempt fails?
- #include Header files in C with definition too
- OpenCV2 on CLion
- What is causing the store latency in this program?
- How to refer to the filepath of test data in test sourcecode?
- 9 Digit Addresses in Hexadecimal System in MacOS
- My server TCP doesn't receive messages from the client in C
- Printing the characters obtained from the array s using printf?
Related Questions in LINUX-KERNEL
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Facing fatal errors while running "yum update" command on CentOS 7/Cloudlinux 7
- crash utility itself crashes while decoding kdump generated from null pointer dereference in kernel module
- How to compile the Linux kernel with -O0 for more detailed debug?
- Linux support for parallel Pixel data Image sensor
- Can't upgrade to newest version of linux-image-6.5.0-26-generic
- How to protect a page so that it cannot be write in mips arch?
- How to extract the .img file into normal kernel source file in the linux?
- Storage size of struct hash_desc desc; isn't known
- How can I intercept failed file openning calls?
- struct nameidata-Linux Kernel Module
- How to modify a 'struct msghdr' in Linux Kernel Module?
- How to allocate 500MB+ physically contiguous memory in a Linux kernel module and copy data to that memory from a userspace process?
- Hyper Threading: nosmt in grub configuration
Related Questions in ECRYPTFS
- ecryptfs: DDev Magento linux quick start setup failing on "file name too long"
- Mounting FS from Kernel
- How do I mount an encrypted /home directory with Linux Mint 18.3 KDE?
- Mounting ecryptfs using C++ mount function
- Git "File name too long" after /home encryption with eCryptfs on Ubuntu
- Problems when mounting an Ecryptfs folder located on an NFS share
- ecryptfs-migrate-home with domain user's home directory
- Decrypt and mount an eCryptFS encrypted directory using an external C++ script in Linux
- eCryptfs - same plain files generates different encrypted files
- How to use ssh-askpass in systemd and init.d at startup
- Git: how does git push handle an encrypted folder when "push"
- Recreate the .Private link in your home directory
- Memory mapped files failing in ecryptfs directory
- How to do an aes encryption WITH a user password?
- How do I make ecryptfs automatically use my key?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
dm-crypt and eCryptfs are both features tightly integrated inside of the Linux kernel, that encrypt data at rest. Both have been upstream in the Linux kernel since at least 2006, and are heavily used by consumers and enterprises. The approach each takes, though, is quite different.
dm-crypt provides "block" level encryption. With dm-crypt, the Linux kernel creates an entire encrypted block device, which can then be used like any other block device in the system. It can be partitioned, carved into an LVM, RAID, or used directly as a disk. This does mean, however, that you have to decide to use encryption up front, and pre-allocate the space up front, and then create and format a filesystem. It's extremely fast and efficient, especially when your CPU supports Intel's AES-NI cryptographic acceleration on the CPU. However, there is only a single key used for the entire block device. As such, it's a bit of a blunt, all-or-nothing approach to encryption.
eCryptfs provides "per-file" encryption. eCryptfs is a fully POSIX-compliant stacked filesystem for Linux. eCryptfs stores metadata in the header of each file, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of "GnuPG as a filesystem". Different files can be encrypted with different keys, and filenames can optionally be encrypted. File attributes, however, are not masked, so an attacker could see the approximate size of a file, its ownerships, permissions, and timestamps. Since eCryptfs is a layered filesystem, you don't have to pre-allocate the space ahead of time. You just mount one directory on top of another (a little like NFS); all data written to and read from the upper directory (assuming you have the key) looks like plaintext data, but all of the data is encrypted before it's written to disk below as ciphertext. Since eCryptfs has to process keys and metadata on a per-file basis, it performs a little slower than dm-crypt on saturated reads and writes.
Most Linux distributions support dm-crypt to some extent in their installers, as well as Android. You can use dm-crypt to encrypt the entire device or root installation of a desktop, tablet, phone, or server, but this typically means that the system can no longer boot unattended, as you will need to interactively enter a passphrase at boot.
For this reason, Ubuntu added support for eCryptfs in its installer, enabling users to encrypt only sensitive parts of the disk, such as their home directories, and leveraging the user's login passphrase to unwrap a special, long, randomly generated key. Approximately 3 million Ubuntu users leverage eCryptfs to encrypt their home directory. Some commercial network attached storage devices, such as Synology, use eCryptfs to encrypt the data at rest. And every Google Chromebook device uses eCryptfs to secure and encrypt the user's local cache and credentials at rest.
Full disclosure: I am one of the authors and maintainers of eCryptfs.