You are not logged in.
- Topics: Active | Unanswered
#1 2024-09-22 17:42:23
- ua4000
- Member
- Registered: 2015-10-14
- Posts: 558
[SOLVED] fscrypt - encrypted files roams out of encrypted directory
Too keep some few files secure, I have a fscrypt (@ ext4) setup in a directory in my home, e.g. /home/me/secure
I noticed now when I "move" files from this secure location to /home/me/Downloads, they are still encrypted in the target folder, which is outside the fscrypt setup.
- happens with "mv", PCManFM Move, Midnight Commander (mc) move,
- but not with "cp", PCManFM Copy, Midnight Commander (mc) copy, rsync
Checked with "lsattr -a".
I thought, the idea of using fscrypt is to have the secure files only inside the special directory, not everywhere roaming on the ext4 filesystem ?
When setting up the fscrypt, it's always about encrypt/lock/unlock/status a directory - now I found out the encryption is not bound to this directory ?
Edit: [SOLVED]
Last edited by ua4000 (2024-09-24 15:18:14)
Offline
#2 2024-09-23 21:32:35
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: [SOLVED] fscrypt - encrypted files roams out of encrypted directory
You're not clear on whether you unlocked the fscrypt dir prior, but I believe you're hitting a kernel limitation with moving. See https://github.com/google/fscrypt/issues/393 and in particular https://github.com/google/fscrypt/issue … 1843936402
Offline
#3 2024-09-24 15:17:38
- ua4000
- Member
- Registered: 2015-10-14
- Posts: 558
Re: [SOLVED] fscrypt - encrypted files roams out of encrypted directory
Thanks very much for the links, I think the 1st one is mine, known, old, by design, and will probably not get fixed.
The ability to move encrypted files into an unencrypted directory existed in the original version of ext4 encryption which was merged into the kernel in 2015. That predates me getting involved. I'd guess that this behavior was a result of it being desirable to support moving encrypted directories into unencrypted directories. If regular files aren't treated any differently, that results in the behavior in question. Note that changing this would break any users who are relying on the current behavior. So, it's not clear that it would even be possible to change it. The Linux kernel provides strong backwards compatibility guarantees.
And yes, the fscrypt dir is unlocked prior.
Else you have to deal with encrypted filenames and then got this on:
cp DuO1laS-XPlSUPc4pq2y_THN066yuHkbJKqFgCslchMosHmt7eJjBg ../Downloads/
cp: cannot open DuO1laS-XPlSUPc4pq2y_THN066yuHkbJKqFgCslchMosHmt7eJjBg for reading: Required key not availableOffline