/* Fake up a context for an unencrypted directory */
memset(&ctx, 0, sizeof(ctx));
ctx.version = LLCRYPT_CONTEXT_V1;
+ /* Force file/directory name encryption policy to null.
+ * This is needed for interoperability with future versions.
+ * Change to be reverted back when Lustre supports name
+ * encryption.
+ */
+ CWARN("inode %lu: setting policy filenames_encryption_mode to null\n",
+ inode->i_ino);
ctx.v1.contents_encryption_mode = LLCRYPT_MODE_AES_256_XTS;
- ctx.v1.filenames_encryption_mode = LLCRYPT_MODE_AES_256_CTS;
+ ctx.v1.filenames_encryption_mode = LLCRYPT_MODE_NULL;
memset(ctx.v1.master_key_descriptor, 0x42,
LLCRYPT_KEY_DESCRIPTOR_SIZE);
res = sizeof(ctx.v1);
return -EFAULT;
policy.version = version;
+ /* Force file/directory name encryption policy to null.
+ * This is needed for interoperability with future versions.
+ * Code to be removed when Lustre supports name encryption.
+ */
+ CWARN("inode %lu: forcing policy filenames_encryption_mode to null\n",
+ inode->i_ino);
+ switch (policy.version) {
+ case LLCRYPT_POLICY_V1:
+ policy.v1.filenames_encryption_mode = LLCRYPT_MODE_NULL;
+ break;
+ case LLCRYPT_POLICY_V2:
+ policy.v2.filenames_encryption_mode = LLCRYPT_MODE_NULL;
+ break;
+ }
+
if (!inode_owner_or_capable(inode))
return -EACCES;
],[
fscrypt_ioctl_get_policy_ex(NULL, NULL);
],[
- has_fscrypt_support="yes"
+ dnl When Lustre supports file name encryption, restore "yes" value
+ dnl for has_fscrypt_support and remove warning message.
+ has_fscrypt_support="no"
+ AC_MSG_WARN([
+This version of Lustre lacks file name encryption support,
+so it cannot make use of in-kernel fscrypt.
+Will use embedded llcrypt if possible.])
])
]) # LC_FSCRYPT_SUPPORT