Filesystem-level encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 19:58, 18 April 2007 edit 199.89.64.178 (talk) →General-purpose file systems with encryption: The list of examples is provided under the See Also section ← Previous edit		Latest revision as of 02:23, 21 October 2024 edit undo BattyBot (talk \| contribs) Bots 1,957,364 edits →top: Replaced {{unreferenced}} with {{more citations needed}} and other General fixes Tag: AWB
(79 intermediate revisions by 57 users not shown)
Line 1: {{More citations needed\|date=October 2024}} '''Filesystem-level encryption''', often called file or folder encryption, is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]] itself, in contrast to [[full disk encryption]] where the entire partition or disk, where the file system resides on, is encrypted. '''Filesystem-level encryption''',<ref>{{Cite web \|title=File-Level Encryption \|url=https://www.pcisecuritystandards.org/glossary/file-level-encryption/ \|access-date=2024-10-18 \|website=PCI Security Standards Council \|language=en-US}}</ref> often called '''file-based encryption''', '''FBE''', or '''file/folder encryption''', is a form of [[disk encryption]] where individual files or directories are [[encryption\|encrypted]] by the [[file system]] itself. This is in contrast to the [[full disk encryption]] where the entire partition or disk, in which the file system resides, is encrypted. The advantages of filesystem-level encryption include more flexible file-based [[key management]] and [[access control]] with [[public-key cryptography]] and the fact that [[key (cryptography)\|cryptographic keys]] are only kept in memory while a file using them is opened. Types of filesystem-level encryption include: * the use of a 'stackable' '''cryptographic filesystem''' layered on top of the main file system * a single ''general-purpose'' file system with encryption The advantages of filesystem-level encryption include: * flexible file-based [[key management]], so that each file can be and usually is encrypted with a separate encryption key{{citation needed\|date=November 2013}} * individual management of encrypted files e.g. incremental backups of the individual changed files even in encrypted form, rather than backup of the entire encrypted volume{{clarify\|how it differs from a _non-crypto_ incremental-backup, please... and the purpose (e.g. importance of backing up to another encrypted physical-disk so data remains secure but a lost token, lost disk, etc doesn't make the data irretrievable?)\|date=January 2011}} * [[access control]] can be enforced through the use of [[public-key cryptography]], and * the fact that [[key (cryptography)\|cryptographic keys]] are only held in memory while the file that is decrypted by them is held open. ==General-purpose file systems with encryption== Unlike cryptographic file systems ~~and~~or [[full disk encryption]], ~~generic~~general-purpose file systems ~~with~~that include filesystem-level encryption do not typically encrypt file system [[metadata]], such as the directory structure, file names, sizes or modification timestamps. This can be problematic if the ~~content~~metadata itself needs to be ~~encrypted~~kept confidential. In other words, if files are stored with identifying file names, anyone who has access to bethe ~~undetectable~~physical ordisk ~~its~~can ~~existence~~know which documents are stored on the disk, although not the contents of the ~~unprovable~~documents. One exception to this is the encryption support being added to the [[ZFS]] filesystem. Filesystem metadata such as filenames, ownership, ACLs, extended attributes are all stored encrypted on disk. The ZFS metadata relating to the storage pool is stored in [[plaintext]], so it is possible to determine how many filesystems (datasets) are available in the pool, including which ones are encrypted. The content of the stored files and directories remain encrypted. Another exception is [[CryFS]] replacement for [[EncFS]]. ==Cryptographic file systems== Cryptographic file systems are specialized (not general-purpose) file systems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain ~~–~~– including metadata. Instead of implementing an on-disk format and their own [[block allocation]], these file systems are often layered on top of existing file systems, ~~for example,~~e.g. residing in a directory on a host file system. Many such file systems also offer advanced features, such as [[deniable encryption]], cryptographically secure read-only [[file system permissions]] and different views of the directory structure depending on the key or user ... One use for a cryptographic file system is when part of an existing file system is [[file synchronization\|synchronized]] with '[[cloud storage]]'. In such cases the cryptographic file system could be 'stacked' on top, to help protect data confidentiality. <!-- Partial sources for this claim include http://members.ferrara.linux.it/freddy77/encfs.html "I use it mostly with Dropbox" and http://geirsdotnet.wordpress.com/2012/04/27/using-encfs4win-for-encrypting-storage-on-cloud-drive/ where the examples are Dropbox and Google Drive. --> ==See also== ~~{{Portal\|Cryptography\|Key-crypto-sideways.png}}~~ * [[Steganographic file system]] * [[List of cryptographic file systems]] * [[~~Full disk~~Disk encryption]] * [[Disk encryption\|Full disk encryption]] ==References== {{Reflist}} {{~~crypto-stub~~File systems}} [[Category:Disk encryption]] [[Category:Special-purpose file systems]] [[Category:Cryptographic software]] [[Category:Utility software types]]