From owner-freebsd-current@FreeBSD.ORG Mon Sep 6 23:03:32 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DABD910656F0; Mon, 6 Sep 2010 23:03:31 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 43A6F8FC25; Mon, 6 Sep 2010 23:03:29 +0000 (UTC) Received: by ewy4 with SMTP id 4so2428591ewy.13 for ; Mon, 06 Sep 2010 16:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=XtdptLSGyyeQ1c5fvHuHXUQ6u3310n82U/yuVOjJUXc=; b=AXQz9/6Zc7CY7MUjoF4vajv1GZg/Y06Xu/3lCPEFWzurzP5PNDe6Qq6s/0PkCn5H/I b0mxgyEFrzRRJ7GBTdNiWwTfTIGpgZfDmW5/qq4ZRBhPKw82s8QDIdJaM78aXqUVURP/ ViRTdNXXB9fsfKmWJ2S5XmS8UNlGuu9Ppq6Hg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=PiBPuElTvL61u0O67OXd2ydSsq7mpEpWsJqSfw2FkHm0yPMpZp56TDvFuZ3Tc1eema pRfipSmQrzMlJSzBu0pnp3BClsFEr3EYUw9mdxRFbO/yb4LdsPrZHyQ4vxccYPMRgY6E N/U3IlnOrpF8XVdkMJI6B6IoaF7t4FY+4JY/E= Received: by 10.213.17.199 with SMTP id t7mr2661953eba.41.1283814208625; Mon, 06 Sep 2010 16:03:28 -0700 (PDT) Received: from localhost ([212.98.186.134]) by mx.google.com with ESMTPS id u9sm8822953eeh.11.2010.09.06.16.03.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 06 Sep 2010 16:03:27 -0700 (PDT) Date: Tue, 7 Sep 2010 02:03:22 +0300 From: Gleb Kurtsou To: freebsd-current@FreeBSD.org Message-ID: <20100906230322.GA5457@tops> References: <20100906183838.GA3460@tops> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20100906183838.GA3460@tops> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: stas@FreeBSD.org, kan@FreeBSD.org, pho@FreeBSD.org, jeff@FreeBSD.org, attilio@FreeBSD.org, kib@FreeBSD.org, tegge@FreeBSD.org, giovanni.trematerra@gmail.com Subject: Re: RFC: pefs - stacked cryptographic filesystem X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2010 23:03:32 -0000 Sorry for replying to myself, I've realized I put wrong download link: http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz On (06/09/2010 21:38), Gleb Kurtsou wrote: > Hello, > > I would like to ask for feedback on a kernel level stacked cryptographic > filesystem. It has started as Summer Of Code'2009 project and matured a > lot since then. I've recently added support for sparse files and > switched to XTS encryption mode. > > I've been using it to encrypt my home directory for almost a year > already, and use fsx, dbench and blogbench for testing. So it should be > fairly stable. > > Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT > and 8-STABLE supported. > > Please email me separately if you're willing to help testing on big > endian machine, XTS code doesn't look endian correct. > > At this point all of the project goals complete and I'd like it to get > wider coverage in terms of tests and reviews and hope to see it commited > to HEAD soon. > > > Installation instructions: > > 1a. Clone git repository: > # git clone git://github.com/glk/pefs.git pefs > # cd pefs > > 1b. Or download latest snapshot from github: > http://github.com/glk/pefs/archives/master Or use direct download link: http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz > > 2. Build and install: > # make obj all > # make install > > 3. Mount pefs filesystem: > # pefs mount ~/Private ~/Private > > 4. Enter passphrase: > # pefs addkey ~/Private > > 5. Test it and report back. There is also a man page available. > > 6. Example how to save your key in keychain database. > > pefs has to be mounted and key specified to make fs writable, create > keychain with single entry (keychain -Z option): > # pefs addchain -Z ~/Private > Don't encrypt .pefs.db: > # mv ~/Private/.pefs.db /tmp > # umount ~/Private > # mv /tmp/.pefs.db ~/Private > # pefs mount ~/Private ~/Private > Use -c option to verify key is in database > # pefs addkey -c ~/Private > > 7. You can setup pam_pefs (not compiled by default) to add key to home > directory and authenticate against keychain database on login, e.g. by > adding the following line to /etc/pam.d/system before pam_unix.so: > > auth sufficient pam_pefs.so try_first_pass > > > The following is a list of its most important features: > > * Kernel level file system, no user level daemons needed. > Transparently runs on top of existing file systems. > * Random per file tweak value used for encryption, which guaranties > different cipher texts for the same encrypted files. > * Saves metadata only in encrypted file name, but not in file itself. > * Supports arbitrary number of keys per file system, default directory > key, mixing files encrypted with different keys in same directory. > * Allows defining key chains, can be used to add/delete several keys > by specifying only master key. > * Uses modern cryptographic algorithms: AES and Camellia in XTS mode, > PKCS#5v2 and HKDF for key generation. > > > Github repository: http://github.com/glk/pefs > > More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs > > Thanks, > Gleb. >