Improve volume format log output when using encryption

[aidigy-com]

What would you like to be added:

The community edition requires that both the RSA encryption key and its passphrase are provided manually. Yet, it may fail silently to enable the encryption, and the log output is misleading if the credentials are not passed correctly (e.g. using a secret for the CSI driver mounting it). While it reads like it is encrypted:

2025/09/07 00:30:55.140033 juicefs[7] <INFO>: Volume is formatted as {
  "Name": "my-fs",
  "UUID": "ffffffff-ffff-ffff-ffff-ffffffffffff",
  "Storage": "s3",
  "Bucket": "http://minio.my-platform.svc.cluster.local:9000/my-bucket",
  "AccessKey": "my-access-key",
  "SecretKey": "removed",
  "BlockSize": 4096,
  "Compression": "none",
  "EncryptAlgo": "aes256gcm-rsa",
  "KeyEncrypted": true,
  "TrashDays": 1,
  "MetaVersion": 1,
  "MinClientVersion": "1.1.0-A",
  "DirStats": true,
  "EnableACL": false
} [format@format.go:564]

And even when the encryption is configured correctly, also the only difference in logs where "EncryptKey": "removed", appears, is not as obvious as it could be.

Hence, it would be better if format fails with error and/or the log output clearly states that encryption is in place or not, e.g. with "Encrypted": false,.

Why is this needed:

Avoiding false assumptions on enabled encryption and simplifying debugging if encryption is not working as expected.

[jiefenghuang]

"the log output is misleading if the credentials are not passed correctly"
Can you provide the detailed output? If the encryptor fails to initialize, JuiceFS will output the detail error.

[aidigy-com]

Hi @jiefenghuang - thank you for your reply! Actually the output above is what I got in the PVC system pod - the format is successful and no error is shown, but the volume is not encrypted - and that is the reason why I created the ticket.

As it is easy to reproduce for me by resetting my local cluster and simply not passing the RSA key in a secret when applying my application, I have produced a new log:

2025/09/08 11:30:08.355647 juicefs[7] <INFO>: Meta address: tikv://tidb-cluster-pd.my-platform.svc.cluster.local:2379/ [NewClient@interface.go:578]
2025/09/08 11:30:08.357374 juicefs[7] <INFO>: TiKV gc interval is set to 3h0m0s [newTikvClient@tkv_tikv.go:87]
2025/09/08 11:30:08.378671 juicefs[7] <INFO>: Data use s3://minio.my-platform.svc.cluster.local:9000/my-bucket/my-fs/ [format@format.go:527]
2025/09/08 11:30:08.417598 juicefs[7] <INFO>: Volume is formatted as {
  "Name": "my-fs",
  "UUID": "3b86b278-732e-4068-a9a7-da97de9d3e7a",
  "Storage": "s3",
  "Bucket": "http://minio.my-platform.svc.cluster.local:9000/my-bucket",
  "AccessKey": "my-access-key",
  "SecretKey": "removed",
  "BlockSize": 4096,
  "Compression": "none",
  "EncryptAlgo": "aes256gcm-rsa",
  "KeyEncrypted": true,
  "TrashDays": 1,
  "MetaVersion": 1,
  "MinClientVersion": "1.1.0-A",
  "DirStats": true,
  "EnableACL": false
} [format@format.go:564]
2025/09/08 11:30:08.449080 juicefs[1] <INFO>: Meta address: tikv://tidb-cluster-pd.my-platform.svc.cluster.local:2379/ [NewClient@interface.go:578]
2025/09/08 11:30:08.449173 juicefs[1] <INFO>: TiKV gc interval is set to 3h0m0s [newTikvClient@tkv_tikv.go:87]
2025/09/08 11:30:08.463972 juicefs[1] <INFO>: Data use s3://minio.my-platform.svc.cluster.local:9000/my-bucket/my-fs/ [mount@mount.go:588]
2025/09/08 11:30:08.494114 juicefs[25] <INFO>: Meta address: tikv://tidb-cluster-pd.my-platform.svc.cluster.local:2379/ [NewClient@interface.go:578]
2025/09/08 11:30:08.494203 juicefs[25] <INFO>: TiKV gc interval is set to 3h0m0s [newTikvClient@tkv_tikv.go:87]
2025/09/08 11:30:08.514349 juicefs[25] <INFO>: Data use s3://minio.my-platform.svc.cluster.local:9000/my-bucket/my-fs/ [mount@mount.go:588]
2025/09/08 11:30:08.514383 juicefs[25] <INFO>: JuiceFS version 1.3.0+2025-07-03.30190ca1 [mount@mount.go:631]
2025/09/08 11:30:08.522980 juicefs[25] <INFO>: Disk cache (/var/jfsCache/3b86b278-732e-4068-a9a7-da97de9d3e7a/): used ratio - [space 7.1%, inode 0.1%] [newCacheStore@disk_cache.go:147]
2025/09/08 11:30:08.523374 juicefs[25] <INFO>: Adjusted cache capacity based on freeratio: from 107374182400 to 7536781931 bytes [setlimitByFreeRatio@disk_cache.go:171]
2025/09/08 11:30:08.523398 juicefs[25] <INFO>: Adjusted max items based on freeratio: from 0 to 1840034 items [setlimitByFreeRatio@disk_cache.go:176]
2025/09/08 11:30:08.531772 juicefs[25] <INFO>: Create session 1 OK with version: 1.3.0+2025-07-03.30190ca1 [NewSession@base.go:535]
2025/09/08 11:30:08.540212 juicefs[25] <INFO>: Prometheus metrics listening on [::]:9567 [exposeMetrics@mount.go:134]
2025/09/08 11:30:08.542719 juicefs[25] <INFO>: Mounting volume my-fs at /jfs/pvc-90e55fba-edec-4879-835b-461e979ea7d4-icwjyq ... [mountMain@mount_unix.go:1027]
2025-09-08 11:30:08.568643 I | Unimplemented opcode POLL
2025/09/08 11:30:08.569307 juicefs[1] <INFO>: watching /jfs/pvc-90e55fba-edec-4879-835b-461e979ea7d4-icwjyq, pid 25 [watchdog@mount_unix.go:162]
2025/09/08 11:30:08.965546 juicefs[1] <INFO>: �[92mOK�[0m, my-fs is ready at /jfs/pvc-90e55fba-edec-4879-835b-461e979ea7d4-icwjyq [checkMountpoint@mount_unix.go:235]

Or do you need different logs?

[jiefenghuang]

So you didn’t pass the RSA key in the format statement？ Everything looks fine currently, and the output is as expected. I think it’s only necessary to log something when an error occurs.By reviewing your command or configuration, it’s also quite easy to spot issues with the flag configuration.

[aidigy-com]

Not necessarily. Ask the LLM of your choice based on above full log output if JuiceFS is encrypted or not.

Claude Sonnet 4:

Based on the JuiceFS CSI driver logs, encryption is enabled.

The key evidence is in the volume format configuration shown in the logs:

...

Two specific fields confirm encryption is active:

"EncryptAlgo": "aes256gcm-rsa" - This indicates that AES-256-GCM encryption with RSA key encryption is configured
"KeyEncrypted": true - This confirms that the encryption keys themselves are encrypted

So the JuiceFS filesystem is configured with encryption using AES-256-GCM algorithm with RSA-encrypted keys.

Gemini 2.5 Pro:

Based on the logs provided, yes, encryption is enabled.

You can see the confirmation in this log entry:

...

Specifically, the following two lines indicate that encryption is active:

"EncryptAlgo": "aes256gcm-rsa" shows that an encryption algorithm has been set.
"KeyEncrypted": true confirms that the volume's encryption key is itself encrypted.

GPT-5:

Short answer: Yes — encryption is enabled.

Why:

The volume format shows "EncryptAlgo": "aes256gcm-rsa", which indicates client-side encryption using AES-256-GCM with an RSA-encrypted key.
"KeyEncrypted": true confirms the data encryption key is wrapped (encrypted), consistent with encryption being active.

So your JuiceFS volume is using AES-256-GCM with RSA key wrapping.

But that is the reason I created it as feature request, not a bug. Technically you are absolutely right, no error occurred. Yet, obviously it is not ideal.