RFC: pefs - stacked cryptographic filesystem
Gleb Kurtsou
gleb.kurtsou at gmail.com
Tue Sep 7 18:03:31 UTC 2010
Thanks to Peter Holm and Thomas Vogt for finding several bugs:
* Compilation with DIAGNOSTIC option
* Vnode reference and lock leak in pefs_rename()
I've uploaded new version to test:
http://github.com/downloads/glk/pefs/pefs-2010-09-07.tar.gz
Github repository is also updated.
Also note, that if you have extra debugging options like DEBUG_LOCKS in
your kernel config pefs module has to be build with same options.
I set KERNBUILDDIR to my kernel build directory to make it work:
# uname -v
FreeBSD 9.0-CURRENT #25 r212049+d758796: Tue Aug 31 22:09:45 EEST 2010 root at tops:/usr/obj/freebsd-src/local/sys/TOPS
# export KERNBUILDDIR=/usr/obj/freebsd-src/local/sys/TOPS
# cd pefs/sys/modules/pefs
# make clean
# make && make install
Thanks,
Gleb.
On (06/09/2010 21:38), Gleb Kurtsou wrote:
> Hello,
>
> I would like to ask for feedback on a kernel level stacked cryptographic
> filesystem. It has started as Summer Of Code'2009 project and matured a
> lot since then. I've recently added support for sparse files and
> switched to XTS encryption mode.
>
> I've been using it to encrypt my home directory for almost a year
> already, and use fsx, dbench and blogbench for testing. So it should be
> fairly stable.
>
> Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
> and 8-STABLE supported.
>
> Please email me separately if you're willing to help testing on big
> endian machine, XTS code doesn't look endian correct.
>
> At this point all of the project goals complete and I'd like it to get
> wider coverage in terms of tests and reviews and hope to see it commited
> to HEAD soon.
>
>
> Installation instructions:
>
> 1a. Clone git repository:
> # git clone git://github.com/glk/pefs.git pefs
> # cd pefs
>
> 1b. Or download latest snapshot from github:
> http://github.com/glk/pefs/archives/master
>
> 2. Build and install:
> # make obj all
> # make install
>
> 3. Mount pefs filesystem:
> # pefs mount ~/Private ~/Private
>
> 4. Enter passphrase:
> # pefs addkey ~/Private
>
> 5. Test it and report back. There is also a man page available.
>
> 6. Example how to save your key in keychain database.
>
> pefs has to be mounted and key specified to make fs writable, create
> keychain with single entry (keychain -Z option):
> # pefs addchain -Z ~/Private
> Don't encrypt .pefs.db:
> # mv ~/Private/.pefs.db /tmp
> # umount ~/Private
> # mv /tmp/.pefs.db ~/Private
> # pefs mount ~/Private ~/Private
> Use -c option to verify key is in database
> # pefs addkey -c ~/Private
>
> 7. You can setup pam_pefs (not compiled by default) to add key to home
> directory and authenticate against keychain database on login, e.g. by
> adding the following line to /etc/pam.d/system before pam_unix.so:
>
> auth sufficient pam_pefs.so try_first_pass
>
>
> The following is a list of its most important features:
>
> * Kernel level file system, no user level daemons needed.
> Transparently runs on top of existing file systems.
> * Random per file tweak value used for encryption, which guaranties
> different cipher texts for the same encrypted files.
> * Saves metadata only in encrypted file name, but not in file itself.
> * Supports arbitrary number of keys per file system, default directory
> key, mixing files encrypted with different keys in same directory.
> * Allows defining key chains, can be used to add/delete several keys
> by specifying only master key.
> * Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
> PKCS#5v2 and HKDF for key generation.
>
>
> Github repository: http://github.com/glk/pefs
>
> More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
>
> Thanks,
> Gleb.
>
More information about the freebsd-current
mailing list