adbd9b4dee
fscrypt only uses SHA-256 for AES-128-CBC-ESSIV, which isn't the default and is only recommended on platforms that have hardware accelerated AES-CBC but not AES-XTS. There's no link-time dependency, since SHA-256 is requested via the crypto API on first use. To reduce bloat, we should limit FS_ENCRYPTION to selecting the default algorithms only. SHA-256 by itself isn't that much bloat, but it's being discussed to move ESSIV into a crypto API template, which would incidentally bring in other things like "authenc" support, which would all end up being built-in since FS_ENCRYPTION is now a bool. For Adiantum encryption we already just document that users who want to use it have to enable CONFIG_CRYPTO_ADIANTUM themselves. So, let's do the same for AES-128-CBC-ESSIV and CONFIG_CRYPTO_SHA256. Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com>
17 lines
498 B
Plaintext
17 lines
498 B
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config FS_ENCRYPTION
|
|
bool "FS Encryption (Per-file encryption)"
|
|
select CRYPTO
|
|
select CRYPTO_AES
|
|
select CRYPTO_CBC
|
|
select CRYPTO_ECB
|
|
select CRYPTO_XTS
|
|
select CRYPTO_CTS
|
|
select KEYS
|
|
help
|
|
Enable encryption of files and directories. This
|
|
feature is similar to ecryptfs, but it is more memory
|
|
efficient since it avoids caching the encrypted and
|
|
decrypted pages in the page cache. Currently Ext4,
|
|
F2FS and UBIFS make use of this feature.
|