Linux 6.16 Upstreams Support For Hardware-Wrapped Encryption Keys
([Linux Storage] 105 Minutes Ago 
Hardware-Wrapped Inline Encryption Keys)
	- Reference: 0001549373
- News link: https://www.phoronix.com/news/Linux-6.16-FSCRYPT-Wrapped-Keys
- Source link:
		Google engineer Eric Biggers took time away from [1]all his impressive crypto performance optimizations to the Linux kernel for modern Intel and AMD CPUs to spend time getting support for hardware-wrapped inline encryption keys into the mainline kernel. Google's Android kernel has been carrying this functionality for several years to help enhance security and will now be found in the mainline kernel too for capable platforms.
Eric Biggers explained in the [2]FSCRYPT pull request for Linux 6.16 this new hardware-wrapped inline encryption keys feature:
"Add support for "hardware-wrapped inline encryption keys" to fscrypt. When enabled on supported platforms, this feature protects file contents keys from certain attacks, such as cold boot attacks.
This feature uses the block layer support for wrapped keys which was merged in 6.15. Wrapped key support has existed out-of-tree in Android for a long time, and it's finally ready for upstream now that there is a platform on which it works end-to-end with upstream. Specifically, it works on the Qualcomm SM8650 HDK, using the Qualcomm ICE (Inline Crypto Engine) and HWKM (Hardware Key Manager). The corresponding driver support is included in the SCSI tree for 6.16."
The FSCRYPT patch to support hardware-wrapped keys further explains of this feature:
"Add support for hardware-wrapped keys to fscrypt. Such keys are protected from certain attacks, such as cold boot attacks.
...
To support hardware-wrapped keys in fscrypt, we allow the fscrypt master keys to be hardware-wrapped. File contents encryption is done by passing the wrapped key to the inline encryption hardware via blk-crypto. Other fscrypt operations such as filenames encryption continue to be done by the kernel, using the "software secret" which the hardware derives.
...
Note that this feature doesn't require any filesystem-specific changes. However it does depend on inline encryption support, and thus currently it is only applicable to ext4 and f2fs.
The version of this feature introduced by this patch is mostly equivalent to the version that has existed downstream in the Android kernels since 2020. However, a couple fixes are included."
As of yesterday that hardware-wrapped keys support is now mainline in the Linux kernel for the Linux 6.16 release this summer.
[1] https://www.phoronix.com/search/Eric+Biggers
[2] https://lore.kernel.org/lkml/20250526011159.GA23241@sol/
Eric Biggers explained in the [2]FSCRYPT pull request for Linux 6.16 this new hardware-wrapped inline encryption keys feature:
"Add support for "hardware-wrapped inline encryption keys" to fscrypt. When enabled on supported platforms, this feature protects file contents keys from certain attacks, such as cold boot attacks.
This feature uses the block layer support for wrapped keys which was merged in 6.15. Wrapped key support has existed out-of-tree in Android for a long time, and it's finally ready for upstream now that there is a platform on which it works end-to-end with upstream. Specifically, it works on the Qualcomm SM8650 HDK, using the Qualcomm ICE (Inline Crypto Engine) and HWKM (Hardware Key Manager). The corresponding driver support is included in the SCSI tree for 6.16."
The FSCRYPT patch to support hardware-wrapped keys further explains of this feature:
"Add support for hardware-wrapped keys to fscrypt. Such keys are protected from certain attacks, such as cold boot attacks.
...
To support hardware-wrapped keys in fscrypt, we allow the fscrypt master keys to be hardware-wrapped. File contents encryption is done by passing the wrapped key to the inline encryption hardware via blk-crypto. Other fscrypt operations such as filenames encryption continue to be done by the kernel, using the "software secret" which the hardware derives.
...
Note that this feature doesn't require any filesystem-specific changes. However it does depend on inline encryption support, and thus currently it is only applicable to ext4 and f2fs.
The version of this feature introduced by this patch is mostly equivalent to the version that has existed downstream in the Android kernels since 2020. However, a couple fixes are included."
As of yesterday that hardware-wrapped keys support is now mainline in the Linux kernel for the Linux 6.16 release this summer.
[1] https://www.phoronix.com/search/Eric+Biggers
[2] https://lore.kernel.org/lkml/20250526011159.GA23241@sol/
varikonniemi