Managing Encrypted Filesystems with dirlock
13 hours ago
- #encryption
- #Linux
- #SteamOS
- Alberto Garcia and team developed dirlock, a tool for managing encrypted filesystems on SteamOS, presented at Open Source Summit Europe.
- Steam Deck devices, like mobile phones, contain personal data needing encryption, especially since they support more than just gaming.
- Current encryption options on SteamOS are limited, with Plasma Vault offering encrypted directories but not full home directory encryption.
- Project goals include protecting personal data if the device is lost/stolen, supporting multiple users with independent keys, and enabling encryption without reinstalling the OS.
- Three encryption technologies considered: stacked filesystem encryption (e.g., gocryptfs), block-device encryption (e.g., LUKS), and native filesystem encryption (fscrypt).
- fscrypt was chosen for SteamOS due to its practicality, flexibility, ease of enabling on existing systems, and good performance.
- dirlock, inspired by fscrypt, manages encryption keys, supports PAM, FIDO, and TPM, and is written in Rust. It's set to be an experimental feature in SteamOS 3.8.
- dirlock uses 'protectors' (password, FIDO2, TPM) to wrap master keys, allowing for secure management and flexibility in key access and changes.
- The tool includes a PAM module for authentication, supporting scenarios like shared directories among users with different protectors.
- Rust's use in dirlock was noted as a non-controversial, practical choice, reflecting its established status in development.