Fscrypt on Rocky9.6

Rocky Linux Help & Support
1

Hi all, I did a clean install of Rocky9.6 (minimal install iso) on a physical system.

Created an ext4 file system with encryption enabled: mkfs.ext4 -O encrypt /dev/sda5

Checked if encryption is enabled:

# grep -i fs_encryption /boot/config-$(uname -r)
CONFIG_FS_ENCRYPTION=y
CONFIG_FS_ENCRYPTION_ALGS=m
#

# tune2fs -l /dev/sda5 | grep encrypt
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg encrypt sparse_super large_file huge_file dir_nlink extra_isize metadata_csum
#

# cat /sys/fs/ext4/features/encryption
supported
#

# df -hT /mnt/ext4fs
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sda5      ext4  3.9G   40K  3.7G   1% /mnt/ext4fs
#

Setup fscrypt:

# fscrypt setup
# fscrypt setup /mnt/ext4fs
# mkdir /mnt/ext4fs/root_dir1
# fscrypt encrypt /mnt/ext4fs/root_dir1
[ERROR] fscrypt encrypt: encryption not enabled on filesystem /mnt/ext4fs (/dev/sda5).

To enable encryption support on this filesystem, run:

     sudo tune2fs -O encrypt "/dev/sda5"

Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation for more details.
#

What am I missing?

Thank you,

– Peter

2

Did you do that?

(I realize that your post shows encryption is enabled but since it says that’s it’s not and there’s a command to fix it provided so….)

3

Hi FrankCox, Thank you for the reply.

Yes, I followed the suggested solution but it didn’t work:

# umount /mnt/ext4fs
# tune2fs -O encrypt "/dev/sda5"
tune2fs 1.46.5 (30-Dec-2021)
# mount /dev/sda5 /mnt/ext4fs
# ll /mnt/ext4fs/
total 20
drwx------. 2 root root 16384 Nov  4 12:22 lost+found
drwxr-xr-x. 2 root root  4096 Nov  4 12:26 root_dir1
# fscrypt encrypt /mnt/ext4fs/root_dir1
[ERROR] fscrypt encrypt: encryption not enabled on filesystem /mnt/ext4fs
                         (/dev/sda5).

To enable encryption support on this filesystem, run:

     sudo tune2fs -O encrypt "/dev/sda5"

Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation
for more details.
#
4

I’m running out of ideas here. At this point it looks like fscrypt is not really supported without doing some extra steps that I’m struggling to find.

Even a shoutout by someone in the community saying “Hey, I’m running Rocky9.x and got fscrypt working”, will be helpful.

I work at an University and researchers are asking for encryption (filesystem level, not block level) on Lustre shared volumes and also we need to certify some systems in order to get access to shared academic data. Fscrypt seems the right tool for that with kernel support and performance tuning. Going to another app in userland seems like a step back.

I also tried:

  • I installed Kali Linux on the same hardware and fscrypt worked straight out of the box. So, it’s not the hardware.
  • I installed Rocky10.0, comes with newer version of the kernel, compiled fscrypt from source (EPEL doesn’t have a package, why? is it considered less important?), and got the exact same behavior as with fscrypt on Rocky9.6.
  • Compared loaded kernel modules between Kali and Rocky. They are not one-to-one match but I tried to find something that can possibly hint for the missing piece but so far unsuccessful.

Appreciate any suggestion.

Thank you,

– Peter

5

I’m taking a look at this right now, just verifying a few things, but I expect it’s due to the lack of kernel crypto modules.

For example, we have this:

root@neotest:~# ls /lib/modules/5.14.0-570.58.1.el9_6.x86_64/kernel/crypto/
adiantum.ko.xz          chacha_generic.ko.xz      pcrypt.ko.xz
ansi_cprng.ko.xz        crc32_generic.ko.xz       poly1305_generic.ko.xz
asymmetric_keys         curve25519-generic.ko.xz  rmd160.ko.xz
async_tx                des_generic.ko.xz         serpent_generic.ko.xz
blake2b_generic.ko.xz   echainiv.ko.xz            tcrypt.ko.xz
blowfish_common.ko.xz   essiv.ko.xz               twofish_common.ko.xz
blowfish_generic.ko.xz  fcrypt.ko.xz              twofish_generic.ko.xz
camellia_generic.ko.xz  lrw.ko.xz                 vmac.ko.xz
cast5_generic.ko.xz     md4.ko.xz                 wp512.ko.xz
cast6_generic.ko.xz     michael_mic.ko.xz         xcbc.ko.xz
cast_common.ko.xz       nhpoly1305.ko.xz          xxhash_generic.ko.xz
chacha20poly1305.ko.xz  pcbc.ko.xz                zstd.ko.xz

However on Debian 13 for example:

root@debian:~# ls /lib/modules/6.16.12+deb14+1-cloud-amd64/kernel/crypto/
adiantum.ko.xz        authenc.ko.xz           crc32c-cryptoapi.ko.xz    gcm.ko.xz            seqiv.ko.xz
aegis128.ko.xz        blake2b_generic.ko.xz   crc32-cryptoapi.ko.xz     geniv.ko.xz          serpent_generic.ko.xz
aes_ti.ko.xz          blowfish_common.ko.xz   cryptd.ko.xz              ghash-generic.ko.xz  streebog_generic.ko.xz
af_alg.ko.xz          blowfish_generic.ko.xz  crypto_null.ko.xz         lrw.ko.xz            tcrypt.ko.xz
algif_aead.ko.xz      camellia_generic.ko.xz  crypto_user.ko.xz         lz4hc.ko.xz          twofish_common.ko.xz
algif_hash.ko.xz      cast5_generic.ko.xz     curve25519-generic.ko.xz  lz4.ko.xz            twofish_generic.ko.xz
algif_rng.ko.xz       cast6_generic.ko.xz     deflate.ko.xz             md4.ko.xz            wp512.ko.xz
algif_skcipher.ko.xz  cast_common.ko.xz       des_generic.ko.xz         michael_mic.ko.xz    xcbc.ko.xz
ansi_cprng.ko.xz      ccm.ko.xz               echainiv.ko.xz            nhpoly1305.ko.xz     xor.ko.xz
asymmetric_keys       chacha20poly1305.ko.xz  ecrdsa_generic.ko.xz      pcbc.ko.xz           xxhash_generic.ko.xz
async_tx              chacha.ko.xz            essiv.ko.xz               pcrypt.ko.xz         zstd.ko.xz
authencesn.ko.xz      cmac.ko.xz              fcrypt.ko.xz              rmd160.ko.xz

as you can see the list of available modules is far greater. And fscrypt works.

I am currently in the process of also compiling e2fsprogs to see if changing this helps, I will update shortly.

root@neotest:~# cat /boot/config-5.14.0-570.58.1.el9_6.x86_64 | grep CONFIG_FS_ENC
CONFIG_FS_ENCRYPTION=y
CONFIG_FS_ENCRYPTION_ALGS=m

root@neotest:~# tune2fs -l /dev/vdb1 | grep encrypt
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg encrypt sparse_super large_file huge_file dir_nlink extra_isize metadata_csum

the above confirms that the kernel has the support for CONFIG_FS_ENCRYPTION, and also that ext4 has encrypt enabled on the partition.

That said, RHEL do have this: Does Red Hat support fscrypt for filesystem encryption - Red Hat Customer Portal which effectively states that they don’t support fscrypt or third party packages, and that they recommend that people use LUKS encryption. Even that we know third-party packages are not supported, there is obviously something missing that is blocking it. I’m guessing the crypt modules or lack therefore of the ones that fscrypt needs.

6

Well updated fscrypt and e2fsprogs packages didn’t help either:

root@neotest:~/fscrypt-test# ls
e2fsprogs-1.47.2-3.el9.x86_64.rpm       fscrypt-0.3.5-2.el9.x86_64.rpm      libss-1.47.2-3.el9.x86_64.rpm
e2fsprogs-libs-1.47.2-3.el9.x86_64.rpm  libcom_err-1.47.2-3.el9.x86_64.rpm  pam_fscrypt-0.3.5-2.el9.x86_64.rpm

root@neotest:~# rpm -qa | egrep "fscrypt|e2fsprogs|libcom_err|libss-1" | sort
e2fsprogs-1.47.2-3.el9.x86_64
e2fsprogs-libs-1.47.2-3.el9.x86_64
fscrypt-0.3.5-2.el9.x86_64
libcom_err-1.47.2-3.el9.x86_64
libss-1.47.2-3.el9.x86_64
pam_fscrypt-0.3.5-2.el9.x86_64

They were the ones I build using Fedora 42 source rpms, and then built on Rocky 9 with mock. After installation the problem was the same, despite the fact that the option is set in the kernel and encrypt being enabled on ext4.

Which leads me to believe what I hinted at before, that something else is missing from the kernel, most likely the encryption modules/algorithms are missing that fscrypt requires.

Without knowing exactly what fscrypt requires - and I’ve tried finding out by searching about this problem but nobody from fscrypt actually mentions what else needs to be enabled in the kernel other than the CONFIG_FS_ENCRYPTION option. Which doesn’t help much.

It’s worth noting, when I read the fscrypt github, that their readme even suggests people look at the other alternatives before considering fscrypt: GitHub - google/fscrypt: Go tool for managing Linux filesystem encryption

In reality full disk encryption is best, so things like LUKS. fscrypt still leaves unencrypted data on the system, metadata for one. So you cannot rely solely on fscrypt. The readme even suggests double-encryption (eg: LUKS + fscrypt) if the performance hit won’t be a problem. That said, it still wouldn’t work on RHEL/Rocky anyway.

I personally just use LUKS, I don’t have any need for fscrypt, but I realise other peoples requirements are different.

You may be better just using Debian instead unless you are going to put in the effort building a kernel until it starts working.

7

Hi Ian, Thank you for the effort and time you put into this. Appreciate it.

Full disk encryption solves a different problem. Fscrypt has it’s advantages in a shared environment like ours where different users can use their own keys to unlock the data, integration with file system level encryption and kernel encryption features, which should deliver better performance.

Anyway, we’ll have to look for another solution or a workaround this one (i.e. as you suggested, dedicated Debian based secure nodes for storing and accessing this data)

Thanks again for the help.

– Peter

8

In case you do want to go the kernel compilation route, I figured I’d just check the Gentoo side (I used to use Gentoo and you compile the entire system basically), but this link does hint at what is required to be compiled into the kernel including the crypto modules: https://forums.gentoo.org/viewtopic-p-8629644.html#8629644

The majority of the post is in German, but all you are really after anyway are the options to choose in the kernel, which is clear enough to read. Basically you could recompile the Rocky kernel with those options built in and it may just be enough.