Filesystem-level encryption

Filesystem-level encryption

Filesystem-level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself. This is in contrast to full disk encryption where the entire partition or disk, in which the file system resides, is encrypted.

The advantages of filesystem-level encryption include:

  • flexible file-based key management, so that each file can be and usually is encrypted with a separate encryption key
  • individual management of encrypted files e.g. incremental backups of the individual changed files even in encrypted form, rather than backup of the entire encrypted volume[clarification needed]
  • access control can be enforced through the use of public-key cryptography, and
  • the fact that cryptographic keys are only held in memory while the file that is decrypted by them is held open.

General-purpose file systems with encryption

Unlike cryptographic file systems or full disk encryption, general-purpose file systems that include filesystem-level encryption do not typically encrypt file system metadata, such as the directory structure, file names, sizes or modification timestamps. This can be problematic if the metadata itself needs to be kept confidential. In other words, if files are stored with identifying file names, anyone who has access to the physical disk can know which documents are stored on the disk, although not the contents of the documents.

One exception to this is the encryption support being added to the ZFS filesystem. Filesystem metadata such as filenames, ownership, ACLs, extended attributes are all stored encrypted on disk. The ZFS metadata about the storage pool is still stored in the clear so it is possible to determine how many filesystems (datasets) are available in the pool and even which ones are encrypted but not what the content of the stored files or directories are.

Cryptographic file systems

Cryptographic file systems are specialized (not general-purpose) file systems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain – including metadata. Instead of implementing an on-disk format and their own block allocation, these file systems are often layered on top of existing file systems e.g. residing in a directory on a host file system. Many such file systems also offer advanced features, such as deniable encryption, cryptographically secure read-only file system permissions and different views of the directory structure depending on the key or user.

See also

Crypto key.svg Cryptography portal



Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Encryption layer in storage stack — There is a plurality of terms that are used to describe implementations of disk encryption: on the fly encryption (OTFE); full disk encryption (FDE), whole disk encryption; filesystem level encryption, encrypted filesystem, cryptographic… …   Wikipedia

  • Disk encryption — uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term full disk encryption (or whole disk encryption) is often used to… …   Wikipedia

  • Full disk encryption — (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk or disk volume. The term full disk encryption is often used to signify that everything on a disk, including the… …   Wikipedia

  • Encrypted filesystem — can mean:* A filesystem with filesystem level encryption support * A filesystem that resides on an encrypted disk or partition, see full disk encryption * Encrypting File System (EFS), the encryption subsystem of NTFS …   Wikipedia

  • Deniable encryption — In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that the data is encrypted, or that they are able to decrypt it[citation needed]. Such convincing denials may or may not be genuine.… …   Wikipedia

  • Comparison of disk encryption software — This is a technical feature comparison of different disk encryption software. Contents 1 Background information 2 Operating systems 3 Features 4 Layering …   Wikipedia

  • File system — For library and office filing systems, see Library classification. Further information: Filing cabinet A file system (or filesystem) is a means to organize data expected to be retained after a program terminates by providing procedures to store,… …   Wikipedia

  • EncFS — Infobox Software name = EncFS caption = developer = Valient Gough latest release version = 1.4.2 latest release date = April 13 2008 latest preview version = latest preview date = operating system = Linux, FreeBSD platform = genre = filesystem,… …   Wikipedia

  • Encrypting File System — The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem level encryption. The technology enables files to be transparently encrypted to protect confidential data from… …   Wikipedia

  • Comparison of file managers — The following tables compare general and technical information for a number of notable file managers. Contents 1 General information 2 Operating system support 2.1 Cross platform file managers 2.2 …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”