Date: 26 Sep 2002 11:53:34 +0930 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: James Gritton <gritton@iserver.com> Cc: hackers@FreeBSD.ORG Subject: Re: The poor man's cryptfs Message-ID: <1033007019.22320.11.camel@chowder.gsoft.com.au> In-Reply-To: <x7r8fhk63n.fsf@guppy.dmz.orem.verio.net> References: <x7r8fhk63n.fsf@guppy.dmz.orem.verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2002-09-26 at 08:52, James Gritton wrote: > After playing with a few encrypted filesystems, and giving up on them (after > a kernel crash or two), I went looking for something else to encrypt. The > logical choice is the device. Have you seen ports/security/vncrypt? I use ports/security/cfs which uses a loopback NFS server to decrypt a backing directory for you. It is nice because it expands on the fly but it isn't a speed demon. > Well, the virtual device. Like a cryptfs that's based on a loopback mount, > I'm encrypting a virtual device based on the "vn" driver. This was only a > few hours' work, though it's admittedly incomplete. This is based on the > Blowfish code in the kernel used by ipsec and such, which an extra ioctl > added to set the key. Only three source files require modification: > > sys/sys/vnioctl.h: > Define the VNIOCSETKEY ioctl > > usr.sbin/vnconfig/vnconfig.c: > Add a "-k" option to specify that an encryption key should be entered via > getpass(), and passed in with the above ioctl. > > sys/dev/vn/vn.c > Add a blowfish key entry to the softc structure. This is set via the > above ioctl, which converts a passed-in string into the key data. > Encryption is done around the vn's VOP_READ and VOP_WRITE calls, in > 512-byte CBC chunks. > > That's it - 90 lines of new code. This is for my purposes complete and > working, which is to say neither is quite true. For production-quality > code, some work remains: Impressive :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 9A8C 569F 685A D928 5140 AE4B 319B 41F4 5D17 FDD5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1033007019.22320.11.camel>