Encrypted block device - support?
22 views
Skip to first unread message
Martin Langhoff
Sep 19, 2023, 11:55:35 AM9/19/23
to crosvm-dev
hi everyone -
is there any work on supporting encrypted block devices? I am fairly experienced with Linux boot process, image building, etc. Not shy on hacking on it if needed.
Looking for a way to have an encrypted block device (doesn't have to be the rootfs) in my Chromebook Linux VMs/Containers; via crosvm / vmc.
thanks,
martin
Daniel Verkamp
Sep 19, 2023, 9:03:16 PM9/19/23
to Martin Langhoff, crosvm-dev
On ChromeOS, all user data in the stateful partition (including the
disk image that stores the penguin container data) is encrypted and is
only unlocked while you are logged in to your Chromebook - is that
sufficient for your use case?
I don't think we have any plans to enable block device encryption for
VMs on ChromeOS, since it would be an extra layer of encryption on top
of the already encrypted stateful partition.
Maybe you could use LUKS cryptsetup on a disk image file and mount it
with a FUSE filesystem, although I have not tested this.
Thanks,
-- Daniel
Martin Langhoff
Sep 20, 2023, 10:38:38 AM9/20/23
to Daniel Verkamp, crosvm-dev
On Tue, Sep 19, 2023 at 9:03 PM Daniel Verkamp <dver...@google.com> wrote:
> On ChromeOS, all user data in the stateful partition (including the
> disk image that stores the penguin container data) is encrypted and is
> only unlocked while you are logged in to your Chromebook - is that
> sufficient for your use case?
Thanks Daniel for the response! I'm aware the partition is encrypted
> On ChromeOS, all user data in the stateful partition (including the
> disk image that stores the penguin container data) is encrypted and is
> only unlocked while you are logged in to your Chromebook - is that
> sufficient for your use case?
but no, it does not quite meet my use case.
The use case I am working on has per-topic (per project?) files that
need to be encrypted/decrypted separately.
> I don't think we have any plans to enable block device encryption for
> VMs on ChromeOS, since it would be an extra layer of encryption on top
> of the already encrypted stateful partition.
within my expectations.
> Maybe you could use LUKS cryptsetup on a disk image file and mount it
> with a FUSE filesystem, although I have not tested this.
chance of working? vmc, crosvm?
It doesn't have to start up mounted - if the block device is mapped,
we'd be more than ok to call mount (and provide the secrets) inside
the VM or the container.
regards,
martin
--
--
Martin Langhoff
Principal
Tech DNA
+1-617-838-9503
Reply all
Reply to author
Forward
0 new messages