Eric Biggers
Eric Biggers
> As it doesn't happen with console login (everything is encrypted at logout) isn't it a timing issue? Maybe SDDM is blocking something during logout process. First, just to clarify,...
To revisit this: The best that `fscrypt` can do to return an encrypted directory tree to its ciphertext view is what it currently does: remove the key, sync, and drop...
I'm not sure this should be fixed by adding a systemd service for fscrypt. Other than people just not configuring pam_fscrypt correctly, I think the main problem here is that...
@josephlr, @tyhicks: I've opened an issue for the underlying systemd bug here: https://github.com/systemd/systemd/issues/8598
Yes, that's correct.
There is a log message, both from `fscrypt` and from the kernel. I'm not sure what other sort of notification you would expect; it's not like we can prevent the...
The main point of filesystem-level encryption is to allow different files on the same filesystem to be protected by different keys. This is why Android and Chrome OS use it...
The threat model primarily includes offline attacks, which OS-level access control doesn't protect against. Having different files protected by different keys is useful in that scenario since different keys can...
I'm talking about the information needed to unlock the keys, not how many layers of encryption there are. For example, Android has Device Encrypted storage which is bound to the...
> DE and CE for offline are equally hard to decrypt. Thats right ? No, because the credentials are needed to unlock CE but not DE. > Summing up filesytem...