Filesystem-level encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:05, 14 June 2007 edit ParanoidMike (talk \| contribs) 66 edits Cleaned up some language and clarified some imprecise statements ← Previous edit		Latest revision as of 02:23, 21 October 2024 edit undo BattyBot (talk \| contribs) Bots 1,957,364 edits →top: Replaced {{unreferenced}} with {{more citations needed}} and other General fixes Tag: AWB
(74 intermediate revisions by 55 users not shown)
Line 1: {{More citations needed\|date=October 2024}} '''Filesystem-level encryption''', often called file or folder encryption, is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]] itself. This is in contrast to [[full disk encryption]] where the entire partition or disk, in which the file system resides, is encrypted. '''Filesystem-level encryption''',<ref>{{Cite web \|title=File-Level Encryption \|url=https://www.pcisecuritystandards.org/glossary/file-level-encryption/ \|access-date=2024-10-18 \|website=PCI Security Standards Council \|language=en-US}}</ref> often called '''file-based encryption''', '''FBE''', or '''file/folder encryption''', is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]] itself. This is in contrast to the [[full disk encryption]] where the entire partition or disk, in which the file system resides, is encrypted. Types of filesystem-level encryption include: * the use of a 'stackable' '''cryptographic filesystem''' layered on top of the main file system * a single ''general-purpose'' file system with encryption The advantages of filesystem-level encryption include: * flexible file-based [[key management~~]] and [[access control~~]], so that each file can be and usually is encrypted with a separate encryption key{{citation needed\|date=November 2013}} * individual ~~file~~ management of encrypted files e.g. incremental backups of ~~just~~ the individual changed files even in encrypted form, rather than backup of the entire encrypted volume{{clarify\|how it differs from a _non-crypto_ incremental-backup, please... and the purpose (e.g. importance of backing up to another encrypted physical-disk so data remains secure but a lost token, lost disk, etc doesn't make the data irretrievable?)\|date=January 2011}} * [[access control]] can be enforced through the use of [[public-key cryptography]], and * the fact that [[key (cryptography)\|cryptographic keys]] are only held in memory while the file that is decrypted by them is held open. ==General-purpose file systems with encryption== Unlike cryptographic file systems or [[full disk encryption]], general-purpose file systems that include filesystem-level encryption do not typically encrypt file system [[metadata]], such as the directory structure, file names, sizes or modification timestamps. This can be problematic if the metadata itself needs to be kept confidential. ~~This~~In ~~also~~other ~~means~~words, ~~that~~if ~~the~~files ~~content~~are tostored ~~be encrypted can always be discretely identified (its filename and metadata identifies the~~with ~~individual~~identifying file tonames, anyone ~~including~~who ~~unauthorized~~has ~~users). This makes it impossible~~access to ~~make~~ the ~~content~~physical ~~undetectable~~disk orcan ~~its~~know ~~existence~~which ~~unprovable in ways that~~documents are ~~possible~~stored ~~using~~on ~~approaches~~the ~~such~~disk, asalthough ~~virtual~~not ~~filesystems~~the ~~like~~contents aof ~~PGP~~the ~~disk~~documents. One exception to this is the encryption support being added to the [[ZFS]] filesystem. Filesystem metadata such as filenames, ownership, ACLs, extended attributes are all stored encrypted on disk. The ZFS metadata relating to the storage pool is stored in [[plaintext]], so it is possible to determine how many filesystems (datasets) are available in the pool, including which ones are encrypted. The content of the stored files and directories remain encrypted. Another exception is [[CryFS]] replacement for [[EncFS]]. ==Cryptographic file systems== Cryptographic file systems are specialized (not general-purpose) file systems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain ~~–~~– including metadata. Instead of implementing an on-disk format and their own [[block allocation]], these file systems are often layered on top of existing file systems e.g. residing in a directory on a host file system. Many such file systems also offer advanced features, such as [[deniable encryption]], cryptographically secure read-only [[file system permissions]] and different views of the directory structure depending on the key or user ... One use for a cryptographic file system is when part of an existing file system is [[file synchronization\|synchronized]] with '[[cloud storage]]'. In such cases the cryptographic file system could be 'stacked' on top, to help protect data confidentiality. <!-- Partial sources for this claim include http://members.ferrara.linux.it/freddy77/encfs.html "I use it mostly with Dropbox" and http://geirsdotnet.wordpress.com/2012/04/27/using-encfs4win-for-encrypting-storage-on-cloud-drive/ where the examples are Dropbox and Google Drive. --> ==See also== ~~{{Portal\|Cryptography\|Key-crypto-sideways.svg}}~~ * [[Steganographic file system]] * [[List of cryptographic file systems]] * [[~~Full disk~~Disk encryption]] * [[Disk encryption\|Full disk encryption]] ==References== {{Reflist}} {{~~crypto-stub~~File systems}} ~~<!-- Categories -->~~ [[Category:Disk encryption]] [[Category:Special-purpose file systems]] [[Category:Cryptographic software]] [[Category:Utility software types]]