My notes on making encrypted filesystems "Just Work(tm)"

Sjoerd Simons sjoerd at
Mon Dec 13 11:04:38 PST 2004

On Mon, Dec 13, 2004 at 10:39:07AM -0500, David Zeuthen wrote:
> On Mon, 2004-12-13 at 11:41 +0100, Martin Pitt wrote: 
> > > [1] : Here follows what metadata is stored on the actual block device
> > > that is encrypted; for this to work there must be at least 512 bytes (or 
> > > something) somewhere well known on the block device that we can overwrite
> > > with a guarantee that the filesystem will still work. It also requires the
> > > encryption to be a block-based cipher as we will overwrite the portions
> > > of the crypted block device.
> > 
> > In the interest of supporting encrypted home directories I propose to
> > not define a fixed size for the metadata. Instead the first block
> > should specify how many further metadata blocks are used (the dm
> > device then starts at the block right after the metadata).
> > 
> Yeah, I'm a bit scared of that. One of the important use cases in my
> view is the ability to easily encrypt/decrypt a file system (on the fly,
> for USB keys, or on the next boot) without changing it's size [1]. For
> ext3 that means we only got 0x400 bytes in the beginning of the file
> system.

An extra option in the metadata to indicate the start the start of the 
encrypted part will solve this and gives you the flexibility for both 
solutions :)..

Life is knowing how far to go without crossing the line.
hal mailing list
hal at

More information about the Hal mailing list