• 𝒍𝒆𝒎𝒂𝒏𝒏
    link
    fedilink
    arrow-up
    14
    ·
    1 year ago

    Built-in encryption in bcachefs sounds great, that’s the only thing that BTRFS has been missing for me so far.

    Bonus points if it can be decrypted on boot like LUKS, and double bonus points if its scriptable like cryptsetup (retrieve key from hardware device, or network, or flash stick etc)

    https://bcachefs.org/Encryption/

    Will likely give bcachefs a spin as soon as it drops in Debian Unstable 😁

      • 𝒍𝒆𝒎𝒂𝒏𝒏
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Yeppp this is what I currently do, and offers the best performance IMO compared to using something like gocryptfs in userspace on top of BTRFS. Pretty happy with it except a few small things…

        It can be a bit of a faff to mount on a new machine if its file manager doesn’t support encrypted volumes natively ☹️. On your daily you can have it all sorted in your crypttab and fstab so it’s not an issue there

        My main problem though is if it’s an external USB device you have encrypted with LUKS, the handles and devices stay there after an unexpected USB disconnect… so you can’t actually unmount or remount the dm-crypt device after that happens. Anytime you try, the kernel blocks you saying the device is busy - only fix i’m aware of is a reboot.

        If the encryption is managed by the filesystem itself, one would probably assume this kind of mounting & unexpected disconnect scenario would be handled as gracefully as possible

        • ReversalHatchery@beehaw.org
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          I see, good points.

          I have also experienced that dangling devices break remounting it, but I think there’s a quicker solution for it: dmsetup remove insert_device_name_here.
          It’s still a manual thing, though, but 2 steps better. Maybe it can be automated somehow, I haven’t looked into that yet.