Linux kernel 4.1 introduced native encryption for the ext4 filesystem.
This is a userspace tool to manage encrypted ext4 directories.
Warning: this kernel feature is very unstable and experimental at the moment. I managed to crash my kernel (4.1.2) a few times very easily just by playing with it.
The target directory must be empty.
$ mkdir vault
$ ext4-crypt create vault
Enter passphrase:
Confirm passphrase:
vault: Encryption policy is now set.
$ ext4-crypt status vault
Policy version: 0
Filename cipher: aes-256-cts
Contents cipher: aes-256-xts
Filename padding: 4
Key descriptor: qC6PCZsF
Key serial: 351198062$ ls vault
FTRsD7y2dUyXl6e8omKYbB IdLqPffZBKSebTeh6hZI7C tReYAc2tKyIOHSIcaSV2DB
$ ext4-crypt attach vault
Enter passphrase:
$ ls vault
fstab passwd servicescmake .
make
sudo make installDistribution packages could be provided later if deemed useful.
Linux kernel 4.1+ with support for CONFIG_EXT4_ENCRYPTION.
So basically, any passphrase you provide will be accepted, but you'll get junk if you provide the wrong key. This is currently a limitation of the kernel implementation.
Cipher is hardcoded to be AES-256-XTS for data and AES-256-CTS for filenames. More ciphers will probably be available in future kernel versions.
The encryption policy is stored at the inode level and cannot be removed from userspace. You'll need to provide the right key and copy the data to another directory if you want to remove the encryption.
That is a kernel issue. The dentries cache is not invalidated when you remove the key and still contains the plaintext filenames.
You must remount the device or force a filesystem cache flush with:
# echo 2 > /proc/sys/vm/drop_caches- libkeyutils
- libsodium