From owner-freebsd-current@FreeBSD.ORG Mon Oct 7 20:26:24 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7C636255; Mon, 7 Oct 2013 20:26:24 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-qe0-x22f.google.com (mail-qe0-x22f.google.com [IPv6:2607:f8b0:400d:c02::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2B9122072; Mon, 7 Oct 2013 20:26:24 +0000 (UTC) Received: by mail-qe0-f47.google.com with SMTP id b10so161822qen.20 for ; Mon, 07 Oct 2013 13:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VVud3eu4SGBJi24KFebkmHRkPUgiLk/jMO4gOtJjbdY=; b=zqq59Gu2Iujbg3bJE/qv4vu4IeJK7ibO9AeCGU9x1CY35Jcb9K7blrc5Aki9tImy0M AyCwNwVmanMUjD0d+4vQPTQkLu7abO7uSVEPsa4zr1caWTcHrJJzn/AJV01jQjtokl/0 f8yzpk0aBBKl6UCnvWN84SDLoEaTXZk3Mvi5X21VISZoXDznqJeXZGY72PIFr5zsm7H+ QEkEHZw4oRFUCU2IIGjCQ6ouFaYyDNgRCetcyzj/gnzf14DIVAn2zqd8xkDlbkhTbc30 d4A3AXUfmu4dHKgzulJ5Jhw8Sno9vzlky3r/Lc6pknlm0Cu25hZI4xXn2U5pIPKoTwXU 4jCQ== MIME-Version: 1.0 X-Received: by 10.224.36.201 with SMTP id u9mr39231274qad.76.1381177583381; Mon, 07 Oct 2013 13:26:23 -0700 (PDT) Received: by 10.229.114.5 with HTTP; Mon, 7 Oct 2013 13:26:23 -0700 (PDT) In-Reply-To: <201310071958.r97Jw56I096162@fire.js.berklix.net> References: <20131007163111.GB1590@reks.swifttest.com> <201310071958.r97Jw56I096162@fire.js.berklix.net> Date: Mon, 7 Oct 2013 13:26:23 -0700 Message-ID: Subject: Re: Committing PEFS to CURRENT From: Gleb Kurtsou To: "Julian H. Stacey" Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-current@freebsd.org" , "delphij@freebsd.org" , Kris Moore X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2013 20:26:24 -0000 On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey wrote: > Hi Gleb & All > Gleb Kurtsou wrote: >> Hello, >> >> I would like to ask everybody's opinion regarding committing PEFS to >> CURRENT. >> >> PEFS is a stacked cryptographic file system for FreeBSD. Development >> started as Google Summer of Code project in 2009. It has been in ports >> since Sept 2011. I maintain the project. >> >> Conceptually PEFS is similar to nullfs adding encryption layer on top of >> it. But it differs technically by not using vop_bypass. Another popular >> stacked cryptographic file systems include eCryptfs (linux) and encfs >> (fuse). There is also pam_pefs pam module to allow user authentication >> with their PEFS-encrypted home directory password. > > 2 others are also already in FreeBSD src/ (not just ports) gbde & geli. geli and gbde are different concept, they provide encrypted block level devices. PEFS transparently encrypts data on existing file system. Here is what you can do with PEFS: % mkdir ~/Private % pefs mount ~/Private ~/Private % pefs addkey ~/Private % echo "Hello WORLD" > ~/Private/test % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test % cat ~/Private/test Hello WORLD % pefs unmount ~/Private % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq % hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq 00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_| 0000000c Take a look a great article in the BSD Magazine or http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html > Whether moved from ports to src or not, either way, > I sggest add to man section SEE ALSO gbde(8) & geli(8) Good point, thanks. > Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod > ft: Command not found. > > No pefs yet i SEE ALSO of > http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > I suggest add an href inside: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html > Even if just a 1 liner to start, to expand to a section later. > (None there for 'pefs', I just searched) > > Personaly I've been using gbde based on top of a file inside a UFS > for a long time, I can't remember why I chose gbde rather than geli, > I guess because it was there first ? > > A dummy's guide short notes along the lines of "Which of these 3 should I use?" > might also later be nice at the top of that web page :-) > There is no answer for the question, each system does it's own thing and does it differently: * With PEFS backups are much easier: - Use regular backup software for backing up encrypted data (lower level file system), that would allow delta backup only. - Create file system snapshots, e.g. zfs, then zfs send/receive, regardless whether file system is encrypted or not. * Setting up multiple encrypted file system is much easier -- no need to preallocate storage and create file system. * With PEFS it's possible to add key to encrypted home directory during login (pam_pefs). * PEFS let's you use multiple key in same file system. Thanks, Gleb.