v0.3.6

v0.3.6

v0.3.5

v0.3.5

v0.3.4

The release notes can now be found in the NEWS file.

v0.3.3

This release contains fixes for three security vulnerabilities and related security hardening:

• Correctly handle malicious mountpoint paths in the fscrypt bash completion script (CVE-2022-25328, command injection).
• Validate the size, type, and owner (for login protectors) of policy and protector files (CVE-2022-25327, denial of service).
• Make the fscrypt metadata directories non-world-writable by default (CVE-2022-25326, denial of service).
• When running as a non-root user, ignore policy and protector files that aren't owned by the user or by root.
• Also require that the metadata directories themselves and the mountpoint root directory be owned by the user or by root.
• Make policy and protector files mode 0600 rather than 0644.
• Make all relevant files owned by the user when root encrypts a directory with a user's login protector, not just the the login protector itself.
• Make pam_fscrypt ignore system users completely.

Thanks to Matthias Gerstner (SUSE) for reporting the above vulnerabilities and suggesting additional hardening.

Note: none of these vulnerabilities or changes are related to the cryptography used. The main issue was that it wasn't fully considered how fscrypt's metadata storage method could lead to denial-of-service attacks if a local user is malicious.

Although upgrading to v0.3.3 shouldn't break existing users, there may be some edge cases where users were relying on functionality in ways we didn't anticipate. If you encounter any issues, please report them as soon as possible so that we can find a solution for you.

v0.3.2

This release includes the following improvements:

• Made linked protectors (e.g., login protectors used on a non-root filesystem) more reliable when a filesystem UUID changes.
• Made login protectors be owned by the user when they are created as root, so that the user has permission to update them later.
• Made fscrypt work when the root directory is a btrfs filesystem.
• Made pam_fscrypt start warning when a user's login protector is getting de-synced due to their password being changed by root.
• Support reading the key for raw key protectors from standard input.
• Made fscrypt metadata remove-protector-from-policy work even if the protector is no longer accessible.
• Made fscrypt stop trying to access irrelevant filesystems.
• Improved the documentation.

v0.3.1

This release includes the following improvements:

• Slightly decreased the amount of memory that fscrypt uses for password hashing, to avoid out-of-memory situations
• Made recovery passphrase generation happen without a prompt by default, and improved the explanation given
• Made many improvements to the README file
• Various other minor fixes

Simplify and fix PAM configuration, and update documentation

While this release includes some potentially breaking changes, we don't expect this to break users in practice.

Potentially breaking changes to pam_fscrypt module:

• #281: Remove the drop_caches and lock_policies options. The lock_policies behavior is now unconditional, while the correct drop_caches setting is now auto-detected. Existing PAM files that specify these options will continue to work, but these options will now be ignored.
• #278: Prioritize over other session modules. The pam_fscrypt session hook is now inserted into the correct place in the PAM stack when pam_fscrypt is configured using Debian's / Ubuntu's PAM configuration framework.

Non-breaking changes:

• #261: Add Bash completions for fscrypt
• #275: Fix an error message
• #263: Correctly detect "incompletely locked" v1-encrypted directories on kernel versions 5.10 and later

Other:

• #244: Improve Ubuntu installation instructions
• #264, #269: Minor README updates
• #256, #257, #267, #277, #283: CI updates, including switching from Travis CI to GitHub Actions

Really fix the 32-bit build

This release includes:

• Fix 32-bit build (#235). This was supposed to be fixed in v0.2.8, but another breakage was added in the same release.
• Clarify output of fscrypt status DIR on v1-encrypted directories in some cases (#237).
• [Developers]
  • Add 32-bit build to presubmit checks (#235).
  • Fix cli-tests/t_v1_policy to not be flaky (#237).

Build fixes, container support, and usability improvements

This release includes:

• Build fixes
  • Fix build on 32-bit platforms (#221)
  • Fix build with gcc 10 (#224)
• Allow fscrypt to work in containers (#213)
• Usability improvements
  • Improve many error messages and suggestions (#219). For example, if the encrypt feature flag needs to be enabled on an ext4 filesystem, fscrypt will now show the tune2fs command to run.
  • Document how to securely use login protectors (#223), and link to that documentation when creating a new login protector (#225).
  • Try to detect incomplete locking of v1-encrypted directory (#217)
  • Several other small improvements.
• [Developers] Added command-line interface tests (#218)

Add Detection for V2 kernel support

The main addition in this release is that we now automatically detect support for V2 policies when running fscrypt setup and configure /etc/fscrypt.conf appropriately (#205). This allows uses on newer kernels to automatically start using V2 policies without manually changing /etc/fscrypt.conf. To use these new policies, simply run sudo fscrypt setup and your /etc/fscrypt.conf will be automatically updated.

We also made changes to make the build of fscrypt reproducible:

• Simplify fscrypt --version output (#207)
• Use -trimpath (#208)

Finally, we added improved documentation (#201, #204, #205) and fixed up the Makefile (#200)