I read that the f2fs format is good for SSD storage so I formatted one of my drives with it. I also read in some kernel notes that encryption was added for it but there's no documentation to speak of. I typically prefer whole disk encryption. I'm not sure if that's possible for f2fs.
I'm wondering if anyone knows any steps in which I might be able to encrypt an f2fs drive. I know it's done on Android for their full drive encryption (I'm running Ubuntu). Is LUKS filesystem agnostic? I don't think so. Any encryption would be good.
No docs == no good.
Here's a reference of kernel updates: http://lkml.iu.edu/hypermail/linux/kernel/1506.3/00598.html
Best Answer
Out of f2fscrypt man page:
# mkfs.f2fs -O encrypt /dev/sdxx# mount /dev/sdxx /encrypted/# mkdir /encrypted/dirFirst create the key in the keyring use an simple salt (or generate a random salt). Then use it to set the policy for the directory to be encrypted.
# f2fscrypt add_key -S 0x1234Enter passphrase (echo disabled):Added key with descriptor [28e21cc0c4393da1]# f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dirKey with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.# touch /encrypted/dir/test.txt# ls -l /encrypted/dir/-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txtAfter each reboot, the same command can be used set the key for decryption of the directory and its descendants.
# ls -l /encrypted/dir/-rw-r--r--. 1 root root 0 Mar 5 21:41 zbx7tsUEMLzh+AUVMkQcnB# f2fscrypt get_policy /encrypted/dir//encrypted/dir/: 28e21cc0c4393da1# f2fscrypt add_key -S 0x1234Enter passphrase (echo disabled):Added key with descriptor [28e21cc0c4393da1]# ls -l /encrypted/dir/-rw-r--r--. 1 root root 0 Mar 5 21:41 test.txtShow process keyrings.
# keyctl showSession Keyring084022412 --alswrv 0 0 keyring: _ses204615789 --alswrv 0 65534 \_ keyring: _uid.0529474961 --alsw-v 0 0 \_ logon: f2fs:28e21cc0c4393da1Figuring out how to implement this in boottime