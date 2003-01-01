Hacker News new | comments | show | ask | jobs | submit login
Cryptographic File Systems Performance: What You Don't Know Can Hurt You (2003) (filesystems.org)
31 points by tomashton 240 days ago | 14 comments



This is pretty dated -- the document is 14 years old, at this point. While it was an accurate study of its time, many of the technologies referenced have been replaced --- and some were found to be defective.


Yep. There are other things that significantly affect perf in addition to newer technology (like XTS): for most users, the block device is an SSD, and for most users, your CPU knows how to do AES quickly. Both have significant improvements to performance, up to the point where turning on FileVault 2 for a Mac is a no-brainer now.


Needs a [2003] tag. Great for its time, but everything from the systems they evaluate to the benchmarks they use to the hardware they ran on makes this almost inapplicable today. It would be fantastic to see an updated version.


Please read up on ZFS. Once your inner computer scientist has overcome the "blatant layering violation", you will understand how they minimise the encryption cpu effort with much caching, and how they leverage transaction groups to reduce latency impact. The corruption issue is being addressed by very large blocks each with their own checksum (outside the crypto container), scheduled onto independent devices and a scrubber to regularly re-validate the integrity. Yes, yes, this was published a bit after the linked article.


I've long refrained from encrypting my file systems because of a worry that a tiny bit of file system corruption (like during a power outage, or from stray cosmic rays) could cause the entire file system to become un-decryptable and thereby losing all my data. Is this a valid concern or can are encrypted file systems as resilient as unencrypted file system to such limited, local corruption?


If you backup your master keys and header, corruption in one sector does not make other sectors unreadable. You may lose the sector (between 512 and 4096 bytes) where the corruption happens. If you use file level encryption like eCryptfs you may lose the whole file because it stores separate metadata for each file, I think.

Filesystem-level encryption don't use modes where the state of one sector depends on previous sector. All that is needed is for decrypting a sector is filesystem header and sector number.

more information: https://en.wikipedia.org/wiki/Disk_encryption_theory


Most modern disk encryption mechanisms have settled on XTS (with AES). That includes dm-crypt, FileVault2, BitLocker... XTS is effectively a way to build a really wide block cipher: typically 512 (== 1 classic sector) to 4096 bits (== 1 modern sector) instead of the usual 128 bits (for AES). (Yes, yes. Technically a tweakable block cipher, four points for Gryffindor &c.)

With these systems, file system corruption is not a significantly different issue than it is with other systems. It is not the case that a filesystem is much more likely to become entirely or largely inaccessible than it would be if it had not been encrypted, unless if course if you lose the key!

I'd be in remiss if I didn't mention that while XTS is the standard, it fixes a very specific kind of problem, and you probably still want something on top with a more traditional form of encryption for specific sensitive files. To be clear, the advise is not "don't use FileVault 2"! It's: "do not only use FV2". My work machine, for example, is FV2, but all important credentials are GPG'd using a smart card that's normally not attached to the machine.


>typically 512 (== 1 classic sector) to 4096 bits

it's bytes


Oops! You are of course correct :)


It's as much of a concern as you make it, e.g. by storing redundant keys or key shards elsewhere, and it can be a strength as well as a weakness. Inability to delete or destroy data is an increasing problem. If you replicate or back up your data, how do you ensure all the copies are gone? If you store it on an SSD, how do you ensure that wear-leveling and remapping hasn't caused the physical blocks containing that data to remain intact? Being able to throw away the key and be sure that nobody can get at the data again can be quite nice. The important thing is that you get to control those keys and therefore the persistence of that data.


depends on the file system. some encrypt at the individual file level. I believe ecryptfs falls into this category.


It does, yes, but it's also not secure if an adversary has two versions of a file (they can partially decrypt it, I believe).


I believe you're talking about encfs, not ecryptfs. The specific vulnerability is in the bizarro last-block encryption that encfs 1.x uses; see: https://defuse.ca/audits/encfs.htm

I use FileVault 2 with Yubikey 4-backed GPG for sensitive files. (Turn disk encryption on, but don't count on it to keep your files secret in a lot of threat models.)


Oops, sorry, yes! I did mean encfs.




