Date: Tue, 7 Sep 2010 21:03:24 +0300 From: Gleb Kurtsou <gleb.kurtsou@gmail.com> To: freebsd-current@FreeBSD.org Subject: Re: RFC: pefs - stacked cryptographic filesystem Message-ID: <20100907180303.GC1793@tops> In-Reply-To: <20100906183838.GA3460@tops> References: <20100906183838.GA3460@tops>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks to Peter Holm and Thomas Vogt for finding several bugs: * Compilation with DIAGNOSTIC option * Vnode reference and lock leak in pefs_rename() I've uploaded new version to test: http://github.com/downloads/glk/pefs/pefs-2010-09-07.tar.gz Github repository is also updated. Also note, that if you have extra debugging options like DEBUG_LOCKS in your kernel config pefs module has to be build with same options. I set KERNBUILDDIR to my kernel build directory to make it work: # uname -v FreeBSD 9.0-CURRENT #25 r212049+d758796: Tue Aug 31 22:09:45 EEST 2010 root@tops:/usr/obj/freebsd-src/local/sys/TOPS # export KERNBUILDDIR=/usr/obj/freebsd-src/local/sys/TOPS # cd pefs/sys/modules/pefs # make clean # make && make install Thanks, Gleb. On (06/09/2010 21:38), Gleb Kurtsou wrote: > Hello, > > I would like to ask for feedback on a kernel level stacked cryptographic > filesystem. It has started as Summer Of Code'2009 project and matured a > lot since then. I've recently added support for sparse files and > switched to XTS encryption mode. > > I've been using it to encrypt my home directory for almost a year > already, and use fsx, dbench and blogbench for testing. So it should be > fairly stable. > > Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT > and 8-STABLE supported. > > Please email me separately if you're willing to help testing on big > endian machine, XTS code doesn't look endian correct. > > At this point all of the project goals complete and I'd like it to get > wider coverage in terms of tests and reviews and hope to see it commited > to HEAD soon. > > > Installation instructions: > > 1a. Clone git repository: > # git clone git://github.com/glk/pefs.git pefs > # cd pefs > > 1b. Or download latest snapshot from github: > http://github.com/glk/pefs/archives/master > > 2. Build and install: > # make obj all > # make install > > 3. Mount pefs filesystem: > # pefs mount ~/Private ~/Private > > 4. Enter passphrase: > # pefs addkey ~/Private > > 5. Test it and report back. There is also a man page available. > > 6. Example how to save your key in keychain database. > > pefs has to be mounted and key specified to make fs writable, create > keychain with single entry (keychain -Z option): > # pefs addchain -Z ~/Private > Don't encrypt .pefs.db: > # mv ~/Private/.pefs.db /tmp > # umount ~/Private > # mv /tmp/.pefs.db ~/Private > # pefs mount ~/Private ~/Private > Use -c option to verify key is in database > # pefs addkey -c ~/Private > > 7. You can setup pam_pefs (not compiled by default) to add key to home > directory and authenticate against keychain database on login, e.g. by > adding the following line to /etc/pam.d/system before pam_unix.so: > > auth sufficient pam_pefs.so try_first_pass > > > The following is a list of its most important features: > > * Kernel level file system, no user level daemons needed. > Transparently runs on top of existing file systems. > * Random per file tweak value used for encryption, which guaranties > different cipher texts for the same encrypted files. > * Saves metadata only in encrypted file name, but not in file itself. > * Supports arbitrary number of keys per file system, default directory > key, mixing files encrypted with different keys in same directory. > * Allows defining key chains, can be used to add/delete several keys > by specifying only master key. > * Uses modern cryptographic algorithms: AES and Camellia in XTS mode, > PKCS#5v2 and HKDF for key generation. > > > Github repository: http://github.com/glk/pefs > > More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs > > Thanks, > Gleb. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100907180303.GC1793>