Date: Mon, 7 Oct 2013 13:26:23 -0700 From: Gleb Kurtsou <gleb.kurtsou@gmail.com> To: "Julian H. Stacey" <jhs@berklix.com> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "delphij@freebsd.org" <delphij@freebsd.org>, Kris Moore <kris@pcbsd.org> Subject: Re: Committing PEFS to CURRENT Message-ID: <CADDB7yE5fY4Tm-Ck2vncbMC2oVX7H0ntoB-zcA3HayTmHnvVbQ@mail.gmail.com> In-Reply-To: <201310071958.r97Jw56I096162@fire.js.berklix.net> References: <20131007163111.GB1590@reks.swifttest.com> <201310071958.r97Jw56I096162@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey <jhs@berklix.com> wrote: > Hi Gleb & All > Gleb Kurtsou wrote: >> Hello, >> >> I would like to ask everybody's opinion regarding committing PEFS to >> CURRENT. >> >> PEFS is a stacked cryptographic file system for FreeBSD. Development >> started as Google Summer of Code project in 2009. It has been in ports >> since Sept 2011. I maintain the project. >> >> Conceptually PEFS is similar to nullfs adding encryption layer on top of >> it. But it differs technically by not using vop_bypass. Another popular >> stacked cryptographic file systems include eCryptfs (linux) and encfs >> (fuse). There is also pam_pefs pam module to allow user authentication >> with their PEFS-encrypted home directory password. > > 2 others are also already in FreeBSD src/ (not just ports) gbde & geli. geli and gbde are different concept, they provide encrypted block level devices. PEFS transparently encrypts data on existing file system. Here is what you can do with PEFS: % mkdir ~/Private % pefs mount ~/Private ~/Private % pefs addkey ~/Private % echo "Hello WORLD" > ~/Private/test % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test % cat ~/Private/test Hello WORLD % pefs unmount ~/Private % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq % hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq 00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_| 0000000c Take a look a great article in the BSD Magazine or http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html > Whether moved from ports to src or not, either way, > I sggest add to man section SEE ALSO gbde(8) & geli(8) Good point, thanks. > Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod > ft: Command not found. > > No pefs yet i SEE ALSO of > http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > I suggest add an href inside: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html > Even if just a 1 liner to start, to expand to a section later. > (None there for 'pefs', I just searched) > > Personaly I've been using gbde based on top of a file inside a UFS > for a long time, I can't remember why I chose gbde rather than geli, > I guess because it was there first ? > > A dummy's guide short notes along the lines of "Which of these 3 should I use?" > might also later be nice at the top of that web page :-) > There is no answer for the question, each system does it's own thing and does it differently: * With PEFS backups are much easier: - Use regular backup software for backing up encrypted data (lower level file system), that would allow delta backup only. - Create file system snapshots, e.g. zfs, then zfs send/receive, regardless whether file system is encrypted or not. * Setting up multiple encrypted file system is much easier -- no need to preallocate storage and create file system. * With PEFS it's possible to add key to encrypted home directory during login (pam_pefs). * PEFS let's you use multiple key in same file system. Thanks, Gleb.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADDB7yE5fY4Tm-Ck2vncbMC2oVX7H0ntoB-zcA3HayTmHnvVbQ>