document metadata encryption
This commit is contained in:
parent
da9f17b2c8
commit
d3da06814d
@ -337,8 +337,11 @@
|
||||
<p>File data is encrypted with AES-256-XTS and file names with AES-256-CTS. A
|
||||
unique key is derived using HKDF-SHA512 for each regular file, directory and
|
||||
symbolic link from the per-profile encryption keys, or the device encryption
|
||||
key for non-sensitive data stored outside of profiles. GrapheneOS increases
|
||||
the file name padding from 16 bytes to 32 bytes.</p>
|
||||
key for non-sensitive data stored outside of profiles. The directory key is
|
||||
used to encrypt the file names. GrapheneOS increases the file name padding
|
||||
from 16 bytes to 32 bytes. AES-256-XTS with the device encryption key is also
|
||||
used to encrypt filesystem metadata as a whole beyond the finer-grained file
|
||||
name encryption.</p>
|
||||
|
||||
<p>The OS derives a password token from the profile's lock method credential
|
||||
using scrypt. This is used as the main input for key derivation.</p>
|
||||
|
Loading…
x
Reference in New Issue
Block a user