sec: Add cryptofs slides

Signed-off-by: Holger Dengler <dengler@linutronix.de>

2 files changed, 162 insertions, 0 deletions

diff --git a/security/crypto/Makefile b/security/crypto/Makefile
index a1a28af..eee67f3 100644
--- a/security/crypto/Makefile
+++ b/security/crypto/Makefile
@@ -1,2 +1,3 @@
 obj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_en.pdf
 obj-$(CONFIG_SECURITY_PKI) += pres_pki_en.pdf
+obj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_filesystems.pdf
diff --git a/security/crypto/pres_crypto_filesystems.tex b/security/crypto/pres_crypto_filesystems.tex
new file mode 100644
index 0000000..f43c181
--- /dev/null
+++ b/security/crypto/pres_crypto_filesystems.tex
@@ -0,0 +1,161 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Crypto Filesystems}
+
+\title{Crypto Filesystems}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{Filesystem Overview}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Filesystem Overview}
+\begin{itemize}
+\item General Purpose
+ \begin{itemize}
+ \item Ext4
+ \item F2FS
+ \item ZFS
+ \end{itemize}
+\item FUSE based
+ \begin{itemize}
+ \item encFS
+ \item lessFS (Blowfish only)
+ \end{itemize}
+\item Kernel based
+ \begin{itemize}
+ \item eCryptFS
+ \end{itemize}
+\item Block device Encryption
+ \begin{itemize}
+ \item Linux Unified Key Setup (LUKS)
+ \item dm-crypt
+ \item can be used as base-layer other filesystems
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{F2FS}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{F2FS}
+\begin{itemize}
+\item optimized for controller-based Flash-Devices
+\item log structure based
+\item atomic operations
+\item Encryption
+ \begin{itemize}
+ \item as in EXT4
+ \item transparent
+ \item file-system based
+ \item AES128/256, XTS/CBC/CTR
+ \item support encrypted keys
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{EncFS}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{EncFS}
+\begin{itemize}
+\item Userspace Filesystem (FUSE)
+\item OS independent
+\item Container: encrypted data and encrypted datakey
+\item Mountpoint: transparent overlay
+\item Encryption
+ \begin{itemize}
+ \item transparent
+ \item file-system based
+ \item AES128/256, CFB
+ \item separate keys for access and data encryption
+ \end{itemize}
+\item Disadvantages
+ \begin{itemize}
+ \item lots of known attacks
+ \item weak default configuration
+ \item paranoid configuration still allows some known attacks
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{eCryptFS}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{eCryptFS}
+\begin{itemize}
+\item widely used for encrypting home directories (e.g. Ubuntu)
+\item part of Linux Kernel
+\item Encryption
+ \begin{itemize}
+ \item filesystem based
+ \item use Kernel keyring
+ \item use Kernel encryption layer
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{LUKS/dm-crypt}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{LUKS/dm-crypt}
+\begin{itemize}
+\item transparent block device encryption
+\item filesystem independent
+\item empty block handling
+\item highest security level
+ \begin{itemize}
+ \item full disk encryption
+ \item use Kernel keyring
+ \item use Kernel encryption layer
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Summary}
+\begin{itemize}
+\item Encrypt private files in public Cloud
+ \begin{itemize}
+ \item EncFS
+ \end{itemize}
+\item Encrypt data on USB-Stick/SD-Card/eMMC
+ \begin{itemize}
+ \item F2FS
+ \end{itemize}
+\item Encrypt data in Homedirectory
+ \begin{itemize}
+ \item eCryptFS
+ \end{itemize}
+\item Encrypt data on enterprise-level
+ \begin{itemize}
+ \item LUKS/dm-crypt on block-devices
+ \item Ext4 (full disk)
+ \item ZFS (full disk)
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}