The big feature in this release is #148, support for v2 kernel encryption policies. With the release of Linux 5.4, the kernel added a new type of policy that makes fscrypt much easier to use. For directories using these new policies:
fscrypt unlockmakes the plaintext version of the directory visible to all users (if they have permission). This makes sharing encrypted folders between users (or a user and root) much easier.fscrypt lock(also new in this release) can be run as a non-root user.- The policies are no longer tied to the buggy kernel keyring API.
- This removes the need for users to run
keyctl linkor to reconfigurepam_keyinit. - Some systemd related bugs will no longer be an issue.
- This removes the need for users to run
- Denial-of-Service attacks possible with the v1 API can no longer be used.
To use this new functionality, make sure you are on Linux 5.4 or later. Then, add "policy_version": "2" to "options" in /etc/fscrypt.conf. After this, all new directories will encrypted with v2 polices. See the README.md for more information, including how to use some of the new kernel features with existing directories.
Many thanks to @ebiggers for the herculean effort to get this code (and the kernel code) tested and merged.
Other new features in this release:
- The
.fscryptdirectory can now be a symlink. #150 - When an encrypted directory and a protector reside on different filesystems, we now automatically create a recovery password. #167, #193
Bug fixes in this release:
- Bind mounts are now handled correctly #154
- Cleanup polices/protectors on failure #192
- Config file is created with the correct mode #152
fscrypt setupnow properly creates/.fscrypt#149- Work around strange Go interaction with process keyrings #177
- Misc Optimizations: #159
- Build and CI improvements: #161, #158, #168, #169
- Doc updates: #172, #171, #166, #173, #179, #183