BcacheFS: more secure encryption inside the filesystem?

Currently hearing on Antennapod (on Linux, Kasts is nice)


LINUX Unplugged: 572: Data Security Only a Maniac Could Love

Webseite of the episode: https://linuxunplugged.com/572

Media file: https://aphid.fireside.fm/d/1437767933/f31a453c-fa15-491f-8618-3f71f1d565e5/aa3981c0-3297-4a2f-9882-a51aaa6fa414.mp3


BcacheFS integrates filesystem based encryption, without using LUKS, which is block-based and thus not as complete.

It allows TPM unlock and stores the keys in the kernel keyring.

The encryption uses chacha2, each block is authenticated with a MAC.

Due to being filesystem encryption, you have a chain of trust up to the “super block”. Block-based encryption cannot store MACs without causing alignment problems.

When entering the password in the initramfs, the key is derived from the password using scrypt

Really cool stuff! I want to experiment installing Kinoite on bcacheFS, but never used Anaconda with manual partitioning before.

Is BcacheFS even an option in Anaconda ? I don’t believe it is, so you would be doing a full manual install or a Kickstart file? Not sure how any of that would work with rpm-ostree.

1 Like

Yeah me neither. That doesnt sound easy :wink:

Yeah you’re right so here goes:

  • Is a manual install of rpm-ostree possible on fedora
  • do you have to build bcachefs to get it to work or are there packages already
  • Would ublue be a better option for this allowing you to customize this in better detail. By already having the barebones available and being potentially more efficiently reproducible
1 Like
  1. There is at least a spec already
  2. True, as the package is not integrated, it might not be possible at all.

It could still be possible, but I’ll leave that up to you.

https://bcachefs-docs.readthedocs.io/en/latest/index.html