Linux Symposium

Optimizing eCryptfs for better performance and security

Li Wang

Nowadays, how to protect the confidentiality of data is increasingly becoming an important concern. eCryptfs is a POSIX-compliant enterprise cryptographic filesystem for Linux, included in the mainline Linux kernel since version 2.6.19. eCryptfs is widely used for data encryption, for example, as the basis for Ubuntu's encrypted home directory, natively within Google's ChromeOS, and transparently embedded in several network attached storage (NAS) devices.

The goals of this work are, (1) to present an approach to perform redundant cache elimination for eCryptfs, to reduce ideally half of the memory consumption and avoid unnecessary memory copies between Linux kernel page caches under some situationts, the benefits are verified by experiments, and this approach is applicable to other stacked filesystems. (2) to present the design and implementation of HMAC verification support for eCryptfs, this enables eCryptfs to detect unauthorized data modification and unexpected data corruption, and the experiments demonstrate the decrease in throughput is modest. (3) to present an approach to introduce a thread pool, working in a pipeline manner to perform encryption and write down, to fully exploit parallelism, with notable performance improvements. (4) to present a simple but useful and effective write optimization. (5) to discuss the ongoing and future works on eCryptfs. (6) to discuss the several issues that should be addressed for better stackable file system support for Linux kernel.

Policies   |   Media Archives