I read that the f2fs format is good for SSD storage so I formatted one of my drives with it. I also read in some kernel notes that encryption was added for it but there's no documentation to speak of. I typically prefer whole disk encryption. I'm not sure if that's possible for f2fs.
I'm wondering if anyone knows any steps in which I might be able to encrypt an f2fs drive. I know it's done on Android for their full drive encryption (I'm running Ubuntu). Is LUKS filesystem agnostic? I don't think so. Any encryption would be good.
No docs == no good.
Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html
Best Answer
Out of f2fscrypt man page:
# mkfs.f2fs -O encrypt /dev/sdxx
# mount /dev/sdxx /encrypted/
# mkdir /encrypted/dir
First create the key in the keyring use an simple salt (or generate a random salt). Then use it to set the policy for the directory to be encrypted.
# f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]
# f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.
# touch /encrypted/dir/test.txt
# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt
After each reboot, the same command can be used set the key for decryption of the directory and its descendants.
# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 zbx7tsUEMLzh+AUVMkQcnB
# f2fscrypt get_policy /encrypted/dir/
/encrypted/dir/: 28e21cc0c4393da1
# f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]
# ls -l /encrypted/dir/
-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt
Show process keyrings.
# keyctl show
Session Keyring
084022412 --alswrv 0 0 keyring: _ses
204615789 --alswrv 0 65534 \_ keyring: _uid.0
529474961 --alsw-v 0 0 \_ logon: f2fs:28e21cc0c4393da1
Figuring out how to implement this in boottime