diff mbox series

[v3,4/4] initramfs-crypt-hook: Extend README.md for CRYPT_FAST_REENCRYPTION mechanism

Message ID 20240718103214.1583403-4-stefan-koch@siemens.com (mailing list archive)
State New
Headers show
Series [v3,1/4] initramfs-crypt-hook: Do not attempt to repair a partially encrypted filesystem | expand

Commit Message

Stefan Koch July 18, 2024, 10:32 a.m. UTC 
Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
---
 doc/README.tpm2.encryption.md | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
diff mbox series

Patch

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 3f7e89f..3efbd79 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -38,6 +38,7 @@  or by adding using the following command line build:
 The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build:
 - CRYPT_PARTITIONS
 - CRYPT_CREATE_FILE_SYSTEM_CMD
+- CRYPT_FAST_REENCRYPTION
 
 ### CRYPT_PARTITIONS
 
@@ -58,6 +59,41 @@  The mountpoint is empty as the root partition is mounted  by a seperate initramf
 Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}`
 during boot.
 
+#### Speed-up disk-reencryption (`CRYPT_FAST_REENCRYPTION`)
+
+As the `reencrypt` mechanism doesn't work at file system level
+so it wouldn't detect used and free blocks.
+This means that the block-wise reencryption process could
+take a very long time depending on the partition size.
+
+Using the `format` mechanism instead of the `reencrypt` one
+would delete all existing data (without wiping). This would be very fast,
+because it doesn't matter whether a block is used or free.
+
+Set `CRYPT_FAST_REENCRYPTION` to `"1"` to speed-up the `reencrypt` process.
+So, this would be done:
+- Obtain used space of the unencrypted userdata partition
+- Shrink the partition and resize it to the size of used space (minimum size)
+- reencrypt the userdata partition now with smaller size
+- Expand the encrypted userdata partition back to the maximum possible size
+
+A temporary loop device is used as wrapper to simulate a shrinked device
+because the used cryptsetup takes care of the device size and
+the --reduce-device-size parameter is limited to 64 MiB.
+
+However, this speed-up lacks the described security benefit of
+implicit data overwrite. In general, there is no support for
+explicit random overwrite within the `initramfs-crypt-hook`, that's
+only implicit for the `reencrypt` case without speed-up.
+
+Some disk encryption implementations like within the Debian installer
+will overwrite the entire partition with random data for security reasons
+(e.g. wiping old already deleted data, hiding metadata, etc.).
+
+Keep in mind that a power loss while reencryption will cause data loss.
+The key is only enrolled after fully succeeded reencryption, yet.
+So, no recovery from already encrypted data would be possible.
+
 ### CRYPT_CREATE_FILE_SYSTEM_CMD
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly