Filesystem-level encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 22:27, 30 October 2006 edit Intgr (talk \| contribs) Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers 32,266 edits m →Cryptographic filesystems: Rephrase ← Previous edit		Latest revision as of 02:23, 21 October 2024 edit undo BattyBot (talk \| contribs) Bots 1,957,364 edits →top: Replaced {{unreferenced}} with {{more citations needed}} and other General fixes Tag: AWB
(87 intermediate revisions by 59 users not shown)
Line 1: {{More citations needed\|date=October 2024}} '''Filesystem-level encryption''', is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]], in contrast to [[full disk encryption]] where the entire partition or disk, where the file system resides, is encrypted.▼ '''Filesystem-level encryption''',<ref>{{Cite web \|title=File-Level Encryption \|url=https://www.pcisecuritystandards.org/glossary/file-level-encryption/ \|access-date=2024-10-18 \|website=PCI Security Standards Council \|language=en-US}}</ref> often called '''file-based encryption''', '''FBE''', or '''file/folder encryption''', is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]] itself. ▲~~'''Filesystem-level encryption''',~~This is ~~a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]],~~ in contrast to the [[full disk encryption]] where the entire partition or disk, ~~where~~in which the file system resides, is encrypted. The advantages of filesystem-level encryption include more flexible file-based [[key management]] and [[access control]] with [[public-key cryptography]] and the fact that [[key (cryptography)\|cryptographic keys]] are only kept in memory while a file using them is opened. Types of filesystem-level encryption include: ==General-purpose filesystems with encryption==▼ * the use of a 'stackable' '''cryptographic filesystem''' layered on top of the main file system Unlike cryptographic filesystems and full disk encryption, generic filesystems with filesystem-level encryption do not typically encrypt filesystem [[metadata]], such as the directory structure, file names, sizes or modification timestamps. This can be problematic if the content to be encrypted has to be undetectable or its existence unprovable.▼ * a single ''general-purpose'' file system with encryption The advantages of filesystem-level encryption include: ~~Notable filesystems that support this kind of encryption include the [[Encrypting File System]] layer of [[NTFS]].~~ * flexible file-based [[key management]], so that each file can be and usually is encrypted with a separate encryption key{{citation needed\|date=November 2013}} * individual management of encrypted files e.g. incremental backups of the individual changed files even in encrypted form, rather than backup of the entire encrypted volume{{clarify\|how it differs from a _non-crypto_ incremental-backup, please... and the purpose (e.g. importance of backing up to another encrypted physical-disk so data remains secure but a lost token, lost disk, etc doesn't make the data irretrievable?)\|date=January 2011}} * [[access control]] can be enforced through the use of [[public-key cryptography]], and * the fact that [[key (cryptography)\|cryptographic keys]] are only held in memory while the file that is decrypted by them is held open. ▲==General-purpose ~~filesystems~~file systems with encryption== ==Cryptographic filesystems==▼ ▲Unlike cryptographic ~~filesystems~~file ~~and~~systems or [[full disk encryption]], ~~generic~~general-purpose ~~filesystems~~file ~~with~~systems that include filesystem-level encryption do not typically encrypt ~~filesystem~~file system [[metadata]], such as the directory structure, file names, sizes or modification timestamps. This can be problematic if the ~~content~~metadata itself needs to be ~~encrypted~~kept confidential. In other words, if files are stored with identifying file names, anyone who has access to bethe ~~undetectable~~physical ordisk ~~its~~can ~~existence~~know which documents are stored on the disk, although not the contents of the ~~unprovable~~documents. Cryptographic filesystems are filesystems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain – including metadata. Instead of implementing an on-disk format and their own [[block allocation]], these filesystems are often layered on top of existing filesystems, for example, residing in a directory on a host filesystem. Many such filesystems also offer advanced features, such as [[deniable encryption]], cryptographically secure read-only [[file system permissions]] and different views of the directory structure depending on the key or user.▼ One exception to this is the encryption support being added to the [[ZFS]] filesystem. Filesystem metadata such as filenames, ownership, ACLs, extended attributes are all stored encrypted on disk. The ZFS metadata relating to the storage pool is stored in [[plaintext]], so it is possible to determine how many filesystems (datasets) are available in the pool, including which ones are encrypted. The content of the stored files and directories remain encrypted. Another exception is [[CryFS]] replacement for [[EncFS]]. ▲==Cryptographic ~~filesystems~~file systems== ▲Cryptographic ~~filesystems~~file systems are ~~filesystems~~specialized (not general-purpose) file systems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain ~~–~~– including metadata. Instead of implementing an on-disk format and their own [[block allocation]], these ~~filesystems~~file systems are often layered on top of existing ~~filesystems,~~file ~~for~~systems ~~example,~~e.g. residing in a directory on a host ~~filesystem~~file system. Many such ~~filesystems~~file systems also offer advanced features, such as [[deniable encryption]], cryptographically secure read-only [[file system permissions]] and different views of the directory structure depending on the key or user ... One use for a cryptographic file system is when part of an existing file system is [[file synchronization\|synchronized]] with '[[cloud storage]]'. In such cases the cryptographic file system could be 'stacked' on top, to help protect data confidentiality. <!-- Partial sources for this claim include http://members.ferrara.linux.it/freddy77/encfs.html "I use it mostly with Dropbox" and http://geirsdotnet.wordpress.com/2012/04/27/using-encfs4win-for-encrypting-storage-on-cloud-drive/ where the examples are Dropbox and Google Drive. --> ==See also== ~~{{Portal\|Cryptography\|Key-crypto-sideways.png}}~~ * [[Full disk encryption]]▼ * [[Encrypting File System]] * [[EncFS]] * [[List of encrypting filesystems]] * [[Steganographic file system]] ~~{{crypto-stub}}~~ * [[List of cryptographic file systems]] ▲* [[~~Full disk~~Disk encryption]] * [[Disk encryption\|Full disk encryption]] ==References== {{Reflist}} {{File systems}} [[Category:Disk encryption]] [[Category:Special-purpose file systems]] [[Category:Cryptographic software]] [[Category:Utility software types]]