fscrypt.git/metadata/metadata.pb.go, branch master Go tool for managing Linux filesystem encryption Upgrade google.golang.org/protobuf 2025-11-04T21:53:37+00:00 Eric Biggers ebiggers@google.com 2025-11-04T21:44:04+00:00 38ec4ee5af9dd31d6b81721439fcdf9a30f4a9cd Ran the following commands, using Go 1.23.12: go get google.golang.org/protobuf go mod tidy make gen 
Ran the following commands, using Go 1.23.12:

    go get google.golang.org/protobuf
    go mod tidy
    make gen
Upgrade google.golang.org/protobuf to v1.33.0 2024-03-19T21:57:34+00:00 Eric Biggers ebiggers@google.com 2024-03-19T21:55:59+00:00 ec1b997ea0b7f75eeaea3d139de86a0b707ecb38 






Upgrade google.golang.org/protobuf
2023-09-09T22:54:30+00:00

Eric Biggers
ebiggers@google.com

2023-09-09T22:34:26+00:00

8af5290942f1c9ee127ab4557d70d9b0550c1fd5












Add truncation_fixed field to HashingCosts
2022-12-04T22:36:56+00:00

Joe Richey
joerichey@google.com

2022-08-27T06:40:44+00:00

7ae302aa0dba1d1ea4bbeffae1917792722460c8

This allows us to fix the bug where Parallelism is inadvertantly
truncated to 8 bits in a backwards compatible way.

Signed-off-by: Joe Richey <joerichey@google.com>





This allows us to fix the bug where Parallelism is inadvertantly
truncated to 8 bits in a backwards compatible way.

Signed-off-by: Joe Richey <joerichey@google.com>







Update file comment
2022-12-04T22:36:56+00:00

Joe Richey
joerichey@google.com

2022-08-27T06:35:33+00:00

30c4e497c609f0244cc9f98bc004c13a324c9f54

We now create the `*pb.go` files via the makefile instead of though
`go generate`.

Signed-off-by: Joe Richey <joerichey@google.com>





We now create the `*pb.go` files via the makefile instead of though
`go generate`.

Signed-off-by: Joe Richey <joerichey@google.com>







Add support for AES_256_HCTR2 filenames encryption
2022-10-20T03:45:51+00:00

Eric Biggers
ebiggers@google.com

2022-10-18T17:02:50+00:00

632d66d6fddfa9fd0a279a1811ced1efc567be29

Support for AES_256_HCTR2 filenames encryption was added in kernel
version 6.0.  The kernel doesn't yet support AES_256_HCTR2 for contents
encryption.





Support for AES_256_HCTR2 filenames encryption was added in kernel
version 6.0.  The kernel doesn't yet support AES_256_HCTR2 for contents
encryption.







Switch to google.golang.org/protobuf/proto
2022-04-09T06:38:01+00:00

Eric Biggers
ebiggers@google.com

2022-04-09T06:16:59+00:00

ca7a84b8aea203025acbda193f78ea98946236b5

github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.





github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.







Strictly validate metadata file ownership by default
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

74e870b7bd1585b4b509da47e0e75db66336e576

The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.





The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.







Simplify choosing the key description prefix
2020-03-23T20:20:27+00:00

Eric Biggers
ebiggers@google.com

2020-03-18T04:10:58+00:00

ae886a89f541a74255c9a41f7fa504a82ee6413e

There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt".  So, let's do that.

Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.

Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones.  The corresponding protobuf field
number and name are reserved.  We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice.  If
anyone does, they should just stop specifying the option.

Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.





There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt".  So, let's do that.

Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.

Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones.  The corresponding protobuf field
number and name are reserved.  We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice.  If
anyone does, they should just stop specifying the option.

Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.







Metadata support for v2 encryption policies
2020-01-05T18:02:13+00:00

Eric Biggers
ebiggers@google.com

2019-12-16T03:31:39+00:00

2b25de6d445faefc28629603dd754aec9f744e60

Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.





Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.