The idea of adding encryption support natively to ext4 originated in Google for the Android platform. However, ext4 arguably being the most popular Linux filesystem today, the patch found its right place in the Linux kernel too. Developers Michael Halcrow and Ted Ts’o are to thank for this new capability in ext4.
The encryption logic is embedded in the filesystem and those who use solutions like LUKS or VeraCrypt should be delighted that they don’t need to use any additional software. This also means faster performance. ext4 encryption works at per-directory-tree. The user sets an encryption policy for an empty directory. The policy will include a master key. All files and symbolic links stored under that directory would have their own individual keys, derived from the master key and a random value stored in an extended attribute attached to the file’s inode. File names are encrypted too. Note that directories will not be encrypted. So a user with permissions can still read them. However, the files within would be encrypted and name-mangled.
The key management is done in-kernel by kernel’s key ring management. Userspace cannot access or read them. If a user-space process has the required master key in its per-process keyring, it can access an encrypted directory as usual.
The patch is still experimental and needs adequate review before surfacing in regular kernels. However, it shouldn’t be very long that Linux gets its first natively encrypted filesystem!