Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
> On 08.12.2017, at 03:51, Jason A. Donenfeldwrote: > > Hi Eric, > > Nice to see more use of ChaCha20. However... > > Can we skip over the "sort of worse than XTS, but not having _real_ > authentication sucks anyway in either case, so whatever" and move > directly to, "linux finally supports authenticated encryption for disk > encryption!"? This would be a big deal and would actually be a > noticeable security improvement, instead of a potentially dubious step > sidewaysbackish. Out of curiosity, does anybody know of any specific attacks that authenticated encryption for disk encryption would solve as opposed to just using encryption with AES-XTS? To my knowledge the XTS mode is frowned upon [1], but I don't know of any serious flaws that would eg. allow an attacker to modify file contents without a *serious* amount of effort. CBC is another story though [2]. Don't get me wrong, I'd like to have authenticated encryption too. In fact we are currently working on a concept for adding authentication to UBIFS (I'll share more details as soon as its in a presentable state). However, the reason for this is mainly because UBIFS does *not* operate on the block layer, so dm-integrity/dm-verity is not an option and fscrypt only protects the confidentiality of file contents and filenames. This means that the filesystem index is unprotected which makes it rather easy to move files around - eg. replace /bin/bash with something completely different without knowing the fscrypt master key or any derived key. For the general use case though (eg. securing *really important* files on my desktop), I'd use authenticated encryption at a higher layer to get more flexibility to eg. easily use explicit IVs over implicit ones derived from block/sector number. But maybe there are some uses cases I didn't think of just now... :) David [1] https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/ [2] http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On Fri, Dec 08, 2017 at 07:48:54PM -0500, Jeffrey Walton wrote: > > Still, a stream cipher is sufficient to protect data confidentiality in > > the event of a single point-in-time permanent offline compromise of the > > disk, which currently is the primary threat model for fscrypt. Thus, > > when the alternative is quite literally *no encryption*, we might as > > well use a stream cipher. > > The "single point in time" requirement is kind of interesting. I > believe you are saying the scheme lacks semantic security. Well, it is semantically secure when looking at encryptions/decryptions done in the context of different blocks (different IVs) but not semantically secure when looking at encryptions/decryptions done in the context of the same block (same IV). But in that regard it is the same as the other modes such as AES-XTS or AES-CBC. So I think you are missing the point, which is that a stream cipher fails more catastrophically than the other modes when IVs are reused. > > Forgive my ignorance... Does that mean this cipher should not be used > when backups are in effect; or sync'ing to provider> happens? Normally backup or sync software will operate on the plaintext, which makes whatever type of filesystem-level or disk encryption you happen to be using irrelevant. But at a more abstract level, intentional copies (in addition to "unintentional" copies that may be done by the filesystem or flash storage) are certainly a way that you could end up with multiple ciphertexts for the same block in existence at the same time, so that would indeed need to be accounted for in the assumptions. Eric
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
> Still, a stream cipher is sufficient to protect data confidentiality in > the event of a single point-in-time permanent offline compromise of the > disk, which currently is the primary threat model for fscrypt. Thus, > when the alternative is quite literally *no encryption*, we might as > well use a stream cipher. The "single point in time" requirement is kind of interesting. I believe you are saying the scheme lacks semantic security. Forgive my ignorance... Does that mean this cipher should not be used when backups are in effect; or sync'ing to happens? Jeff On Thu, Dec 7, 2017 at 8:38 PM, Eric Biggerswrote: > From: Eric Biggers > > fscrypt currently only supports AES encryption. However, many low-end > mobile devices still use older CPUs such as ARMv7, which do not support > the AES instructions (the ARMv8 Cryptography Extensions). This results > in very poor AES performance, even if the NEON bit-sliced implementation > is used. Roughly 20-40 MB/s is a typical number, in comparison to > 300-800 MB/s on CPUs that support the AES instructions. Switching from > AES-256 to AES-128 only helps by about 30%. > > The result is that vendors don't enable encryption on these devices, > leaving users unprotected. > > A performance difference of similar magnitude can also be observed on > x86, between CPUs with and without the AES-NI instruction set. > > This patch provides an alternative to AES by updating fscrypt to support > the ChaCha20 stream cipher (RFC7539) for contents encryption. ChaCha20 > was designed to have a large security margin, to be efficient on > general-purpose CPUs without dedicated instructions, and to be > vectorizable. It is already supported by the Linux crypto API, > including a vectorized implementation for ARM using NEON instructions, > and vectorized implementations for x86 using SSSE3 or AVX2 instructions. > > On 32-bit ARM processors with NEON support, ChaCha20 is about 3.2 times > faster than AES-128-XTS (chacha20-neon vs. xts-aes-neonbs). Without > NEON support, ChaCha20 is about 1.5 times as fast (chacha20-generic vs. > xts(aes-asm)). The improvement over AES-256-XTS is even greater. > > Note that stream ciphers are not an ideal choice for disk encryption, > since each data block has to be encrypted with the same IV each time it > is overwritten. Consequently, an adversary who observes the ciphertext > both before and after a write can trivially recover the keystream if > they can guess one of the plaintexts. Moreover, an adversary who can > write to the ciphertext can flip arbitrary bits in the plaintext, merely > by flipping the corresponding bits in the ciphertext. A block cipher > operating in the XTS or CBC-ESSIV mode provides some protection against > these types of attacks -- albeit not full protection, which would at > minimum require the use an authenticated encryption mode with nonces. > > Unfortunately, we are unaware of any block cipher which performs as well > as ChaCha20, has a similar or greater security margin, and has been > subject to as much public security analysis. We do not consider Speck > to be a viable alternative at this time. > > Still, a stream cipher is sufficient to protect data confidentiality in > the event of a single point-in-time permanent offline compromise of the > disk, which currently is the primary threat model for fscrypt. Thus, > when the alternative is quite literally *no encryption*, we might as > well use a stream cipher. > > We offer ChaCha20 rather than the reduced-round variants ChaCha8 or > ChaCha12 because ChaCha20 has a much higher security margin, and we are > primarily targeting CPUs where ChaCha20 is fast enough, in particular > CPUs that have vector instructions such as NEON or SSSE3. Also, the > crypto API currently only supports ChaCha20. Still, if ChaCha8 and/or > ChaCha12 support were to be added to the crypto API, it would be > straightforward to support them in fscrypt too. > > Currently, stream ciphers cannot be used for filenames encryption with > fscrypt because all filenames in a directory have to be encrypted with > the same IV. Therefore, we offer ChaCha20 for contents encryption only. > Filenames encryption still must use AES-256-CTS-CBC. This is acceptable > because filenames encryption is not as performance-critical as contents > encryption. > > ...
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On Fri, Dec 08, 2017 at 07:20:43AM +, Ard Biesheuvel wrote: > On 8 December 2017 at 02:51, Jason A. Donenfeldwrote: > > Hi Eric, > > > > Nice to see more use of ChaCha20. However... > > > > Can we skip over the "sort of worse than XTS, but not having _real_ > > authentication sucks anyway in either case, so whatever" and move > > directly to, "linux finally supports authenticated encryption for disk > > encryption!"? > > Ehm, it doesn't? This is plain ChaCha20, not any AEAD variant. > > > This would be a big deal and would actually be a > > noticeable security improvement, instead of a potentially dubious step > > sidewaysbackish. > > > > It is actually dubious, given the large scale reuse of IVs with a > stream cipher. I do suppose though that using an AEAD variant would at > least catch any attacks involving flipping ciphertext bits resulting > in plaintext bits being flipped at the same offset (but file updates > would still be visible in the clear) > It *is* dubious, but it would be a replacement for No Encryption, not a replacement for AES. AES would continue to be required on devices that can do AES fast enough. This would only be for devices that do not meet the AES performance bar, so their status quo is No Encryption. I know, it is fun to poke holes in bad crypto, but much less interesting to poke holes in "no crypto" :-) We can't use authenticated encryption for the same reason we can't use random or sequential nonces: there is nowhere to store the additional metadata (authentication tag and nonce) per filesystem block *and* have it updated atomically with respect to the contents of said block. Copy-on-write filesystems such as btrfs or bcachefs can do it. Traditional filesystems cannot. F2FS comes closer than EXT4 since F2FS is based on a log-structured filesystem, but only partially; for one, it still updates data in-place sometimes. This is not a new problem; this is also the reason why we haven't been able to add AES-GCM support yet. Authentication aside, the greater problem here is the IV reuse. Unfortunately it actually will likely be even worse than we thought originally, because this would be used on flash storage that does wear leveling, and likely also with F2FS which often doesn't overwrite data in-place. So even under the "single point-in-time permanent offline compromise" threat model it may not be good enough. We are going to spend some more time investigating alternatives, but unfortunately there are not many. Eric
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On 8 December 2017 at 10:14, Stephan Muellerwrote: > Am Freitag, 8. Dezember 2017, 11:06:31 CET schrieb Ard Biesheuvel: > > Hi Ard, > >> >> Given how it is not uncommon for counters to be used as IV, this is a >> fundamental flaw that could rear its head in other places as well, so >> I propose we fix this one way (fix the current code) or the other >> (deprecate the current code and create a new chacha20-rfc7539 >> blockcipher that uses a 96-bit IV and sets the counter to 0) > > Instead of having a complete new implementation of the ChaCha20 cipher, what > about using a specific IV generator for which the kernel crypto API has > already support (see crypto/seqiv.c for example)? > > I.e. we have the current ChaCha20 cipher, but use some "rfc7539iv(chacha20)" > cipher mode where that rfc7539iv is the mentioned IV generator that turns the > given IV (sector number?) into the proper IV for ChaCha20. > To be honest, I don't fully understand how the IV generators work. seqiv is implemented as an AEAD not as a skcipher, and we'd need to wrap chacha20 in something that is usable as a skcipher. In any case, it does make sense to address this by wrapping chacha20 in something generic, rather than having to extend all implementations.
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On 8 December 2017 at 09:11, Ard Biesheuvelwrote: > On 8 December 2017 at 09:11, Ard Biesheuvel wrote: >> Hi Eric, >> >> On 8 December 2017 at 01:38, Eric Biggers wrote: >>> From: Eric Biggers >>> >>> fscrypt currently only supports AES encryption. However, many low-end >>> mobile devices still use older CPUs such as ARMv7, which do not support >>> the AES instructions (the ARMv8 Cryptography Extensions). This results >>> in very poor AES performance, even if the NEON bit-sliced implementation >>> is used. Roughly 20-40 MB/s is a typical number, in comparison to >>> 300-800 MB/s on CPUs that support the AES instructions. Switching from >>> AES-256 to AES-128 only helps by about 30%. >>> >>> The result is that vendors don't enable encryption on these devices, >>> leaving users unprotected. >>> >>> A performance difference of similar magnitude can also be observed on >>> x86, between CPUs with and without the AES-NI instruction set. >>> >>> This patch provides an alternative to AES by updating fscrypt to support >>> the ChaCha20 stream cipher (RFC7539) for contents encryption. ChaCha20 >>> was designed to have a large security margin, to be efficient on >>> general-purpose CPUs without dedicated instructions, and to be >>> vectorizable. It is already supported by the Linux crypto API, >>> including a vectorized implementation for ARM using NEON instructions, >>> and vectorized implementations for x86 using SSSE3 or AVX2 instructions. >>> >>> On 32-bit ARM processors with NEON support, ChaCha20 is about 3.2 times >>> faster than AES-128-XTS (chacha20-neon vs. xts-aes-neonbs). Without >>> NEON support, ChaCha20 is about 1.5 times as fast (chacha20-generic vs. >>> xts(aes-asm)). The improvement over AES-256-XTS is even greater. >>> >>> Note that stream ciphers are not an ideal choice for disk encryption, >>> since each data block has to be encrypted with the same IV each time it >>> is overwritten. Consequently, an adversary who observes the ciphertext >>> both before and after a write can trivially recover the keystream if >>> they can guess one of the plaintexts. Moreover, an adversary who can >>> write to the ciphertext can flip arbitrary bits in the plaintext, merely >>> by flipping the corresponding bits in the ciphertext. A block cipher >>> operating in the XTS or CBC-ESSIV mode provides some protection against >>> these types of attacks -- albeit not full protection, which would at >>> minimum require the use an authenticated encryption mode with nonces. >>> >>> Unfortunately, we are unaware of any block cipher which performs as well >>> as ChaCha20, has a similar or greater security margin, and has been >>> subject to as much public security analysis. We do not consider Speck >>> to be a viable alternative at this time. >>> >>> Still, a stream cipher is sufficient to protect data confidentiality in >>> the event of a single point-in-time permanent offline compromise of the >>> disk, which currently is the primary threat model for fscrypt. Thus, >>> when the alternative is quite literally *no encryption*, we might as >>> well use a stream cipher. >>> >>> We offer ChaCha20 rather than the reduced-round variants ChaCha8 or >>> ChaCha12 because ChaCha20 has a much higher security margin, and we are >>> primarily targeting CPUs where ChaCha20 is fast enough, in particular >>> CPUs that have vector instructions such as NEON or SSSE3. Also, the >>> crypto API currently only supports ChaCha20. Still, if ChaCha8 and/or >>> ChaCha12 support were to be added to the crypto API, it would be >>> straightforward to support them in fscrypt too. >>> >>> Currently, stream ciphers cannot be used for filenames encryption with >>> fscrypt because all filenames in a directory have to be encrypted with >>> the same IV. Therefore, we offer ChaCha20 for contents encryption only. >>> Filenames encryption still must use AES-256-CTS-CBC. This is acceptable >>> because filenames encryption is not as performance-critical as contents >>> encryption. >>> >>> Reviewed-by: Michael Halcrow >>> Signed-off-by: Eric Biggers >>> --- >>> Documentation/filesystems/fscrypt.rst | 43 +++--- >>> fs/crypto/Kconfig | 1 + >>> fs/crypto/crypto.c| 69 >>> --- >>> fs/crypto/keyinfo.c | 2 + >>> include/linux/fscrypt.h | 6 ++- >>> include/uapi/linux/fs.h | 1 + >>> 6 files changed, 102 insertions(+), 20 deletions(-) >>> >>> diff --git a/Documentation/filesystems/fscrypt.rst >>> b/Documentation/filesystems/fscrypt.rst >>> index 776ddc655f79..927d3c88816b 100644 >>> --- a/Documentation/filesystems/fscrypt.rst >>> +++ b/Documentation/filesystems/fscrypt.rst >>> @@ -184,6 +184,9 @@ replaced with HKDF or another more standard KDF in the >>> future. >>>
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On 8 December 2017 at 09:11, Ard Biesheuvelwrote: > Hi Eric, > > On 8 December 2017 at 01:38, Eric Biggers wrote: >> From: Eric Biggers >> >> fscrypt currently only supports AES encryption. However, many low-end >> mobile devices still use older CPUs such as ARMv7, which do not support >> the AES instructions (the ARMv8 Cryptography Extensions). This results >> in very poor AES performance, even if the NEON bit-sliced implementation >> is used. Roughly 20-40 MB/s is a typical number, in comparison to >> 300-800 MB/s on CPUs that support the AES instructions. Switching from >> AES-256 to AES-128 only helps by about 30%. >> >> The result is that vendors don't enable encryption on these devices, >> leaving users unprotected. >> >> A performance difference of similar magnitude can also be observed on >> x86, between CPUs with and without the AES-NI instruction set. >> >> This patch provides an alternative to AES by updating fscrypt to support >> the ChaCha20 stream cipher (RFC7539) for contents encryption. ChaCha20 >> was designed to have a large security margin, to be efficient on >> general-purpose CPUs without dedicated instructions, and to be >> vectorizable. It is already supported by the Linux crypto API, >> including a vectorized implementation for ARM using NEON instructions, >> and vectorized implementations for x86 using SSSE3 or AVX2 instructions. >> >> On 32-bit ARM processors with NEON support, ChaCha20 is about 3.2 times >> faster than AES-128-XTS (chacha20-neon vs. xts-aes-neonbs). Without >> NEON support, ChaCha20 is about 1.5 times as fast (chacha20-generic vs. >> xts(aes-asm)). The improvement over AES-256-XTS is even greater. >> >> Note that stream ciphers are not an ideal choice for disk encryption, >> since each data block has to be encrypted with the same IV each time it >> is overwritten. Consequently, an adversary who observes the ciphertext >> both before and after a write can trivially recover the keystream if >> they can guess one of the plaintexts. Moreover, an adversary who can >> write to the ciphertext can flip arbitrary bits in the plaintext, merely >> by flipping the corresponding bits in the ciphertext. A block cipher >> operating in the XTS or CBC-ESSIV mode provides some protection against >> these types of attacks -- albeit not full protection, which would at >> minimum require the use an authenticated encryption mode with nonces. >> >> Unfortunately, we are unaware of any block cipher which performs as well >> as ChaCha20, has a similar or greater security margin, and has been >> subject to as much public security analysis. We do not consider Speck >> to be a viable alternative at this time. >> >> Still, a stream cipher is sufficient to protect data confidentiality in >> the event of a single point-in-time permanent offline compromise of the >> disk, which currently is the primary threat model for fscrypt. Thus, >> when the alternative is quite literally *no encryption*, we might as >> well use a stream cipher. >> >> We offer ChaCha20 rather than the reduced-round variants ChaCha8 or >> ChaCha12 because ChaCha20 has a much higher security margin, and we are >> primarily targeting CPUs where ChaCha20 is fast enough, in particular >> CPUs that have vector instructions such as NEON or SSSE3. Also, the >> crypto API currently only supports ChaCha20. Still, if ChaCha8 and/or >> ChaCha12 support were to be added to the crypto API, it would be >> straightforward to support them in fscrypt too. >> >> Currently, stream ciphers cannot be used for filenames encryption with >> fscrypt because all filenames in a directory have to be encrypted with >> the same IV. Therefore, we offer ChaCha20 for contents encryption only. >> Filenames encryption still must use AES-256-CTS-CBC. This is acceptable >> because filenames encryption is not as performance-critical as contents >> encryption. >> >> Reviewed-by: Michael Halcrow >> Signed-off-by: Eric Biggers >> --- >> Documentation/filesystems/fscrypt.rst | 43 +++--- >> fs/crypto/Kconfig | 1 + >> fs/crypto/crypto.c| 69 >> --- >> fs/crypto/keyinfo.c | 2 + >> include/linux/fscrypt.h | 6 ++- >> include/uapi/linux/fs.h | 1 + >> 6 files changed, 102 insertions(+), 20 deletions(-) >> >> diff --git a/Documentation/filesystems/fscrypt.rst >> b/Documentation/filesystems/fscrypt.rst >> index 776ddc655f79..927d3c88816b 100644 >> --- a/Documentation/filesystems/fscrypt.rst >> +++ b/Documentation/filesystems/fscrypt.rst >> @@ -184,6 +184,9 @@ replaced with HKDF or another more standard KDF in the >> future. >> Encryption modes and usage >> == >> >> +Available modes >> +--- >> + >> fscrypt allows one encryption mode to be specified for file
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
Hi Eric, On 8 December 2017 at 01:38, Eric Biggerswrote: > From: Eric Biggers > > fscrypt currently only supports AES encryption. However, many low-end > mobile devices still use older CPUs such as ARMv7, which do not support > the AES instructions (the ARMv8 Cryptography Extensions). This results > in very poor AES performance, even if the NEON bit-sliced implementation > is used. Roughly 20-40 MB/s is a typical number, in comparison to > 300-800 MB/s on CPUs that support the AES instructions. Switching from > AES-256 to AES-128 only helps by about 30%. > > The result is that vendors don't enable encryption on these devices, > leaving users unprotected. > > A performance difference of similar magnitude can also be observed on > x86, between CPUs with and without the AES-NI instruction set. > > This patch provides an alternative to AES by updating fscrypt to support > the ChaCha20 stream cipher (RFC7539) for contents encryption. ChaCha20 > was designed to have a large security margin, to be efficient on > general-purpose CPUs without dedicated instructions, and to be > vectorizable. It is already supported by the Linux crypto API, > including a vectorized implementation for ARM using NEON instructions, > and vectorized implementations for x86 using SSSE3 or AVX2 instructions. > > On 32-bit ARM processors with NEON support, ChaCha20 is about 3.2 times > faster than AES-128-XTS (chacha20-neon vs. xts-aes-neonbs). Without > NEON support, ChaCha20 is about 1.5 times as fast (chacha20-generic vs. > xts(aes-asm)). The improvement over AES-256-XTS is even greater. > > Note that stream ciphers are not an ideal choice for disk encryption, > since each data block has to be encrypted with the same IV each time it > is overwritten. Consequently, an adversary who observes the ciphertext > both before and after a write can trivially recover the keystream if > they can guess one of the plaintexts. Moreover, an adversary who can > write to the ciphertext can flip arbitrary bits in the plaintext, merely > by flipping the corresponding bits in the ciphertext. A block cipher > operating in the XTS or CBC-ESSIV mode provides some protection against > these types of attacks -- albeit not full protection, which would at > minimum require the use an authenticated encryption mode with nonces. > > Unfortunately, we are unaware of any block cipher which performs as well > as ChaCha20, has a similar or greater security margin, and has been > subject to as much public security analysis. We do not consider Speck > to be a viable alternative at this time. > > Still, a stream cipher is sufficient to protect data confidentiality in > the event of a single point-in-time permanent offline compromise of the > disk, which currently is the primary threat model for fscrypt. Thus, > when the alternative is quite literally *no encryption*, we might as > well use a stream cipher. > > We offer ChaCha20 rather than the reduced-round variants ChaCha8 or > ChaCha12 because ChaCha20 has a much higher security margin, and we are > primarily targeting CPUs where ChaCha20 is fast enough, in particular > CPUs that have vector instructions such as NEON or SSSE3. Also, the > crypto API currently only supports ChaCha20. Still, if ChaCha8 and/or > ChaCha12 support were to be added to the crypto API, it would be > straightforward to support them in fscrypt too. > > Currently, stream ciphers cannot be used for filenames encryption with > fscrypt because all filenames in a directory have to be encrypted with > the same IV. Therefore, we offer ChaCha20 for contents encryption only. > Filenames encryption still must use AES-256-CTS-CBC. This is acceptable > because filenames encryption is not as performance-critical as contents > encryption. > > Reviewed-by: Michael Halcrow > Signed-off-by: Eric Biggers > --- > Documentation/filesystems/fscrypt.rst | 43 +++--- > fs/crypto/Kconfig | 1 + > fs/crypto/crypto.c| 69 > --- > fs/crypto/keyinfo.c | 2 + > include/linux/fscrypt.h | 6 ++- > include/uapi/linux/fs.h | 1 + > 6 files changed, 102 insertions(+), 20 deletions(-) > > diff --git a/Documentation/filesystems/fscrypt.rst > b/Documentation/filesystems/fscrypt.rst > index 776ddc655f79..927d3c88816b 100644 > --- a/Documentation/filesystems/fscrypt.rst > +++ b/Documentation/filesystems/fscrypt.rst > @@ -184,6 +184,9 @@ replaced with HKDF or another more standard KDF in the > future. > Encryption modes and usage > == > > +Available modes > +--- > + > fscrypt allows one encryption mode to be specified for file contents > and one encryption mode to be specified for filenames. Different > directory trees are permitted to use different encryption modes. > @@ -191,24 +194,52 @@
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
On 8 December 2017 at 02:51, Jason A. Donenfeldwrote: > Hi Eric, > > Nice to see more use of ChaCha20. However... > > Can we skip over the "sort of worse than XTS, but not having _real_ > authentication sucks anyway in either case, so whatever" and move > directly to, "linux finally supports authenticated encryption for disk > encryption!"? Ehm, it doesn't? This is plain ChaCha20, not any AEAD variant. > This would be a big deal and would actually be a > noticeable security improvement, instead of a potentially dubious step > sidewaysbackish. > It is actually dubious, given the large scale reuse of IVs with a stream cipher. I do suppose though that using an AEAD variant would at least catch any attacks involving flipping ciphertext bits resulting in plaintext bits being flipped at the same offset (but file updates would still be visible in the clear) > Bcachefs supports ChaCha20Poly1305, which is pretty neat. From what > I've read, performance is acceptable too. > http://bcachefs.org/Encryption/ > > Jason
Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
Hi Eric, Nice to see more use of ChaCha20. However... Can we skip over the "sort of worse than XTS, but not having _real_ authentication sucks anyway in either case, so whatever" and move directly to, "linux finally supports authenticated encryption for disk encryption!"? This would be a big deal and would actually be a noticeable security improvement, instead of a potentially dubious step sidewaysbackish. Bcachefs supports ChaCha20Poly1305, which is pretty neat. From what I've read, performance is acceptable too. http://bcachefs.org/Encryption/ Jason