Speaker
Description
fscrypt has long been the standard subsystem for filesystems to adopt filesystem-level encryption. Traditionally fscrypt has encrypted data on a per-inode level; however, this made snapshotting or reflinking encrypted data difficult. Over the past two years, btrfs has worked to add per-extent encryption to fscrypt: encrypting on a per-extent level allows reflinking and snapshotting of encrypted data, and potentially other features in the future like changing encryption keys for new data and the use of authenticated encryption for greater security.
This talk will go what your filesystem can do with the new per-extent fscrypt, the tradeoffs of inode vs extent based fscrypt, and challenges encountered in btrfs. Afterward we'll discuss what's coming next, and address questions about whether per-extent fscrypt is suitable for the unique featureset of your filesystem.
