From owner-freebsd-security Sun Jan 27 14:35:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 2EDAA37B417 for ; Sun, 27 Jan 2002 14:35:48 -0800 (PST) Received: (qmail 17486 invoked by uid 1000); 27 Jan 2002 22:35:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Jan 2002 22:35:43 -0000 Date: Sun, 27 Jan 2002 14:35:37 -0800 (PST) From: Jason Stone X-X-Sender: To: Cc: peeter kallas Subject: Re: Cryptographic file systems In-Reply-To: <200201271251.g0RCpKX31851@june.tele2.ee> Message-ID: <20020127141053.T6286-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm trying to find cryptographic file system for FreeBSD that suits my > needs, but there seems to be very little to choose from. I've found > only CFS from the ports collection, but it doesn't support multiple > users working on same directory TCFS - transparent crypto file system - like CFS only better, and includes support for sharing of the kind that you seem to need in recent versions. http://tcfs.dia.unisa.it/ FiST cryptfs - FiST (Filesystem Translator) is a project to create an OS-independent language for writing filesystems in - you write the filesystem in FiST and then use fistgen to compile it into a kld for linux, solaris, or freebsd. The distribution comes with a number of reference filesystems, including a cryptfs. http://www.cs.columbia.edu/~ezk/research/fist/ Both of these projects are linux-oriented, but do have some freebsd support. I haven't looked at tcfs recently, but fist will need some hacking just to compile. Once you've got it compiled, the simple filesystems like the rot13fs will work pretty well, but the more complex ones like cryptfs and gzipfs will probablly crash your box - at least they did for me under 0.0.4.1 and 0.0.4.2. FiST is being actively developed, though, and things may be better in the 0.0.5 series. I think that FiST cryptfs is the most promising cryptfs freebsd can expect, so watch its progress. Not wholly applicable to you, but also possibly of interest is SFS, the self-certifying file system. This darpa-funded project provides secure access over the net to your local filesystems (which may or may not be encrypted). http://www.fs.net/ Finally, if nothing else works, you can keep your files in encrypted tarballs (stream them through mcrypt from ports or openssl enc in the base system), then create ramdisk filesystems, unpack the files there, let users work with them, then when you're done, tar and encrypt them again. This is a hideous hack, but it does provide a way to work with your files without ever letting them land un-encrypted on disk. I wrote some scripts to do this years ago, before I discovered cfs. I don't reccommend this, but it does work. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8VIC/swXMWWtptckRAttEAJ95E3pE7KaiIgQYiUPAHe98OmsSugCeK7Fq lCmb4h5rciBJYc7qIr4XMJk= =I68s -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message