Encrypted Btrfs Subvolumes: Keeping Container Storage Safe
2023-09-13, 10:30–11:10 (Europe/Berlin), Dome

At Meta, we've been working to add encryption support to btrfs, with exciting implications for per-container security. Traditionally encryption has either dealt with whole disks, with LUKS, or with a few filesystems: ext4, f2fs, ubifs, and ceph, lacking in advanced volume management. Btrfs has several features these filesystems don't: deduplicating/reflinking identical data, subvolume/snapshot management, and integrated checksumming. These features allow giving containers their own encrypted subvolume with a key only loaded when the container is running, preventing container storage from being read while turned off, and making deletion of expired containers' storage secure.

I (Sweet Tea) have worked on kernel storage since graduating from MIT in 2013. I've been a fan of open source, particularly storage technology, since I started using Gentoo in '05, and was fortunate to get a job out of college working on Linux kernel storage. I began at a startup called Permabit working on a then-proprietary software-defined storage device providing dedupe and compression, which was acquired by Red Hat in 2017. dm-vdo has now been open sourced and is working on going upstream soon. In 2022, I joined the btrfs team at Meta, and have been working on adding filesystem encryption to btrfs since.