On Tue, Sep 19, 2023 at 9:03 PM Daniel Verkamp <
dver...@google.com> wrote:
> On ChromeOS, all user data in the stateful partition (including the
> disk image that stores the penguin container data) is encrypted and is
> only unlocked while you are logged in to your Chromebook - is that
> sufficient for your use case?
Thanks Daniel for the response! I'm aware the partition is encrypted
but no, it does not quite meet my use case.
The use case I am working on has per-topic (per project?) files that
need to be encrypted/decrypted separately.
> I don't think we have any plans to enable block device encryption for
> VMs on ChromeOS, since it would be an extra layer of encryption on top
> of the already encrypted stateful partition.
Understood - yes, double encryption (and its inefficiencies) here is
within my expectations.
> Maybe you could use LUKS cryptsetup on a disk image file and mount it
> with a FUSE filesystem, although I have not tested this.
Yes, I'd be happy to do this. But at which layer do you think it has a
chance of working? vmc, crosvm?
It doesn't have to start up mounted - if the block device is mapped,
we'd be more than ok to call mount (and provide the secrets) inside
the VM or the container.
regards,
martin
--
--
Martin Langhoff
Principal
Tech DNA
+1-617-838-9503