From owner-freebsd-hackers Wed Sep 25 19:23:47 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3BCF37B401 for ; Wed, 25 Sep 2002 19:23:45 -0700 (PDT) Received: from cain.gsoft.com.au (genesi.lnk.telstra.net [139.130.136.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 622B943E9C for ; Wed, 25 Sep 2002 19:23:43 -0700 (PDT) (envelope-from doconnor@gsoft.com.au) Received: from localhost (localhost [127.0.0.1]) by cain.gsoft.com.au (8.12.4/8.12.3) with ESMTP id g8Q2NZ2l074759; Thu, 26 Sep 2002 11:53:39 +0930 (CST) (envelope-from doconnor@gsoft.com.au) Subject: Re: The poor man's cryptfs From: "Daniel O'Connor" To: James Gritton Cc: hackers@FreeBSD.ORG In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 26 Sep 2002 11:53:34 +0930 Message-Id: <1033007019.22320.11.camel@chowder.gsoft.com.au> Mime-Version: 1.0 X-Spam-Score: -3.4 () IN_REP_TO X-Scanned-By: MIMEDefang 2.16 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 2002-09-26 at 08:52, James Gritton wrote: > After playing with a few encrypted filesystems, and giving up on them (after > a kernel crash or two), I went looking for something else to encrypt. The > logical choice is the device. Have you seen ports/security/vncrypt? I use ports/security/cfs which uses a loopback NFS server to decrypt a backing directory for you. It is nice because it expands on the fly but it isn't a speed demon. > Well, the virtual device. Like a cryptfs that's based on a loopback mount, > I'm encrypting a virtual device based on the "vn" driver. This was only a > few hours' work, though it's admittedly incomplete. This is based on the > Blowfish code in the kernel used by ipsec and such, which an extra ioctl > added to set the key. Only three source files require modification: > > sys/sys/vnioctl.h: > Define the VNIOCSETKEY ioctl > > usr.sbin/vnconfig/vnconfig.c: > Add a "-k" option to specify that an encryption key should be entered via > getpass(), and passed in with the above ioctl. > > sys/dev/vn/vn.c > Add a blowfish key entry to the softc structure. This is set via the > above ioctl, which converts a passed-in string into the key data. > Encryption is done around the vn's VOP_READ and VOP_WRITE calls, in > 512-byte CBC chunks. > > That's it - 90 lines of new code. This is for my purposes complete and > working, which is to say neither is quite true. For production-quality > code, some work remains: Impressive :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 9A8C 569F 685A D928 5140 AE4B 319B 41F4 5D17 FDD5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message