Go tool for managing Linux filesystem encryption
The release notes can now be found in the NEWS file.
This release contains fixes for three security vulnerabilities and related security hardening:
fscrypt
bash completion script (CVE-2022-25328, command injection).fscrypt
metadata directories non-world-writable by default (CVE-2022-25326, denial of service).0600
rather than 0644
.root
encrypts a directory with a user's login protector, not just the the login protector itself.pam_fscrypt
ignore system users completely.Thanks to Matthias Gerstner (SUSE) for reporting the above vulnerabilities and suggesting additional hardening.
Note: none of these vulnerabilities or changes are related to the cryptography used. The main issue was that it wasn't fully considered how fscrypt
's metadata storage method could lead to denial-of-service attacks if a local user is malicious.
Although upgrading to v0.3.3 shouldn't break existing users, there may be some edge cases where users were relying on functionality in ways we didn't anticipate. If you encounter any issues, please report them as soon as possible so that we can find a solution for you.
This release includes the following improvements:
fscrypt
work when the root directory is a btrfs filesystem.pam_fscrypt
start warning when a user's login protector is getting de-synced due to their password being changed by root.fscrypt metadata remove-protector-from-policy
work even if the protector is no longer accessible.fscrypt
stop trying to access irrelevant filesystems.This release includes the following improvements:
fscrypt
uses for password hashing, to avoid out-of-memory situationsWhile this release includes some potentially breaking changes, we don't expect this to break users in practice.
pam_fscrypt
module:drop_caches
and lock_policies
options. The lock_policies
behavior is now unconditional, while the correct drop_caches
setting is now auto-detected. Existing PAM files that specify these options will continue to work, but these options will now be ignored.pam_fscrypt
session hook is now inserted into the correct place in the PAM stack when pam_fscrypt
is configured using Debian's / Ubuntu's PAM configuration framework.fscrypt
This release includes:
fscrypt status DIR
on v1-encrypted directories in some cases (https://github.com/google/fscrypt/pull/237).This release includes:
fscrypt
to work in containers (https://github.com/google/fscrypt/pull/213)encrypt
feature flag needs to be enabled on an ext4 filesystem, fscrypt
will now show the tune2fs
command to run.The main addition in this release is that we now automatically detect support for V2 policies when running fscrypt setup
and configure /etc/fscrypt.conf
appropriately (#205). This allows uses on newer kernels to automatically start using V2 policies without manually changing /etc/fscrypt.conf
. To use these new policies, simply run sudo fscrypt setup
and your /etc/fscrypt.conf
will be automatically updated.
We also made changes to make the build of fscrypt reproducible:
fscrypt --version
output (#207)-trimpath
(#208)Finally, we added improved documentation (#201, #204, #205) and fixed up the Makefile (#200)
The big feature in this release is #148, support for v2 kernel encryption policies. With the release of Linux 5.4, the kernel added a new type of policy that makes fscrypt much easier to use. For directories using these new policies:
fscrypt unlock
makes the plaintext version of the directory visible to all users (if they have permission). This makes sharing encrypted folders between users (or a user and root) much easier.fscrypt lock
(also new in this release) can be run as a non-root user.keyctl link
or to reconfigure pam_keyinit
.To use this new functionality, make sure you are on Linux 5.4 or later. Then, add "policy_version": "2"
to "options"
in /etc/fscrypt.conf
. After this, all new directories will encrypted with v2 polices. See the README.md
for more information, including how to use some of the new kernel features with existing directories.
Many thanks to @ebiggers for the herculean effort to get this code (and the kernel code) tested and merged.
Other new features in this release:
.fscrypt
directory can now be a symlink. #150Bug fixes in this release:
fscrypt setup
now properly creates /.fscrypt
#149A special thanks to @ebiggers for most of the changes in this release.
With the release of 1.13 recently, the minimum supported version of Go for fscrypt is now 1.12.
With #107, fscrypt now uses go modules (and no longer uses dep
).
New Features:
fscyrpt status DIR
Changes to improve stability of fscrypt:
The remaining changes include numerous fixes to the Documentation and CI.