fscrypt

Prepare the root filesystem for use with fscrypt

$ sudo fscrypt setup

$ fscrypt setup [path/to/directory]

$ fscrypt encrypt [path/to/directory]

$ fscrypt unlock [path/to/encrypted_directory]

$ fscrypt lock [path/to/encrypted_directory]

fscrypt [GLOBAL_OPTIONS] <COMMAND> [COMMAND_OPTIONS] [ARGUMENTS]

Examples:
fscrypt setup <mountpoint>
fscrypt enroll <directory>
fscrypt unlock <mountpoint>
fscrypt status <mountpoint_or_path>

-h, --help
    Displays help information for the main command or a specific subcommand.

-v, --verbose
    Enables verbose output, showing more detailed information about operations.

--version
    Displays the fscrypt version information.

--owner=<user>
    Specifies the owner (user or group ID or name) for the encryption policy (e.g., used with enroll).

--source=<type>
    Sets the source of the encryption key, such as passphrase, tpm2, pam_passphrase, or pkcs11.

--hash=<algorithm>
    Specifies the passphrase hashing algorithm to use, commonly scrypt or pbkdf2.

--hkdf=<algorithm>
    Sets the HKDF (HMAC-based Key Derivation Function) algorithm, typically sha256.

--fs-config-uuid=<uuid>
    Specifies a particular filesystem configuration by its UUID, especially useful for systems with multiple configurations.

--policy-uuid=<uuid>
    Refers to an existing encryption policy by its UUID for operations like modifying or managing.

--wipe-keys
    (Used with lock) Instructs fscrypt to securely wipe the decryption keys from kernel memory upon locking.

fscrypt is a user-space tool that provides an easy-to-use interface for the Linux kernel's fscrypt feature. It enables transparent, per-directory encryption on supported filesystems like ext4, f2fs, and ubifs. Rather than encrypting entire partitions, fscrypt allows users to encrypt specific directories, with all files created within an encrypted directory automatically being encrypted.

The tool handles the complex tasks of key management, passphrase hashing, and interacting with the kernel's encryption keyring. It supports various key sources, including user-provided passphrases, system login passphrases via PAM, and hardware security modules like TPM 2.0 or PKCS#11 tokens.

By simplifying the setup and ongoing management of encrypted data, fscrypt helps users protect sensitive information stored on their Linux systems without requiring full disk encryption or complex manual key handling. It ensures that data is encrypted at rest, enhancing data security.

fscrypt relies on specific Linux kernel features (the fscrypt module) and filesystem versions (ext4 with the `encrypt` feature enabled, f2fs, and ubifs). It does not provide full disk encryption; instead, it encrypts specific directories. It is crucial to ensure proper backup of passphrases or key material, as losing them will result in irreversible data loss. While it supports encryption at rest, data is decrypted in memory during use, which may have minor performance implications.

fscrypt manages encryption keys in user-space (e.g., in `~/.fscrypt` for passphrase-derived keys) and securely loads them into the kernel's keyring for actual file system operations. This allows keys to be automatically loaded on system boot (if configured) or manual unlock, and securely purged from kernel memory when no longer needed.

For ext4, the filesystem must be created with the `encrypt` feature enabled (e.g., using `mkfs.ext4 -O encrypt /dev/sdX`). For f2fs and ubifs, encryption support is generally available without special creation flags, but they must be mounted with the correct options to utilize fscrypt effectively. It's recommended to check the filesystem's `dump-features` or similar commands to confirm fscrypt support.

The fscrypt kernel feature was initially developed for ChromeOS and introduced into the Linux kernel in version 4.1. The fscrypt user-space tool was subsequently created to provide a convenient, user-friendly interface to manage this kernel functionality. Its development has focused on simplifying the deployment and ongoing management of directory-level encryption on Linux systems, aiming for broader adoption beyond its initial ChromeOS roots.

cryptsetup(8), mount(8), ext4(5), f2fs(5)