{"guid":"6052bed1-946c-5a62-ac89-10ce04c66347","title":"Encrypted Btrfs Subvolumes: Keeping Container Storage Safe","subtitle":null,"slug":"all-systems-go-2023-221-encrypted-btrfs-subvolumes-keeping-container-storage-safe","link":"https://cfp.all-systems-go.io/all-systems-go-2023/talk/ZJDHRA/","description":"At Meta, we've been working to add encryption support to btrfs, with exciting implications for per-container security. Traditionally encryption has either dealt with whole disks, with LUKS, or with a few filesystems: ext4, f2fs, ubifs, and ceph, lacking in advanced volume management. Btrfs has several features these filesystems don't: deduplicating/reflinking identical data, subvolume/snapshot management, and integrated checksumming. These features allow giving containers their own encrypted subvolume with a key only loaded when the container is running, preventing container storage from being read while turned off, and making deletion of expired containers' storage secure.","original_language":"eng","persons":["Sweet Tea Dorminy"],"view_count":346,"promoted":false,"date":"2023-09-13T10:30:00.000+02:00","release_date":"2023-09-13T00:00:00.000+02:00","updated_at":"2026-04-11T11:45:03.507+02:00","tags":["asg2023","221","2023"],"length":1548,"duration":1548,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/221-6052bed1-946c-5a62-ac89-10ce04c66347.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/221-6052bed1-946c-5a62-ac89-10ce04c66347_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/221-6052bed1-946c-5a62-ac89-10ce04c66347.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/221-6052bed1-946c-5a62-ac89-10ce04c66347.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2023-221-encrypted-btrfs-subvolumes-keeping-container-storage-safe","url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_title":"All Systems Go! 2023","conference_url":"https://api.media.ccc.de/public/conferences/asg2023","related":[],"recordings":[{"size":57,"length":1548,"mime_type":"video/webm","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-09-14T04:19:34.402+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/webm-sd/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/70333","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":133,"length":1548,"mime_type":"video/webm","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-09-14T03:59:34.933+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/webm-hd/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/70331","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":43,"length":1548,"mime_type":"video/mp4","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-09-14T01:58:34.278+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/h264-sd/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_sd.mp4","url":"https://api.media.ccc.de/public/recordings/70313","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":14,"length":1548,"mime_type":"audio/opus","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2023-09-14T01:32:33.792+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/opus/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_opus.opus","url":"https://api.media.ccc.de/public/recordings/70281","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":23,"length":1548,"mime_type":"audio/mpeg","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2023-09-14T01:31:33.905+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/mp3/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/70278","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":125,"length":1548,"mime_type":"video/mp4","language":"eng","filename":"asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-09-13T18:29:51.175+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/h264-hd/asg2023-221-eng-Encrypted_Btrfs_Subvolumes_Keeping_Container_Storage_Safe_hd.mp4","url":"https://api.media.ccc.de/public/recordings/70258","event_url":"https://api.media.ccc.de/public/events/6052bed1-946c-5a62-ac89-10ce04c66347","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"}]}