From owner-freebsd-current@FreeBSD.ORG Tue Sep 7 21:08:06 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7285810656E1 for ; Tue, 7 Sep 2010 21:08:06 +0000 (UTC) (envelope-from ivoras@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 224078FC08 for ; Tue, 7 Sep 2010 21:08:05 +0000 (UTC) Received: by qyk4 with SMTP id 4so6061330qyk.13 for ; Tue, 07 Sep 2010 14:08:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=yih3FeKp+n00gnbyI3wgse2DOrcTNekHNMLG5g1Yh9c=; b=PCiaR0EaXUkgv6uEnRJMkOfMOTL2Y9c+R0L/BvRq2OH8bn+imK3imjHrBC7tBPIGjI eRFhxq0t2xLQnifBlm1gx3SbHx5YtHUjwxpxhU2cnOs8S9tY+mKMUZ66BLJPV1DE5Fgd HR4k4Wfh++j/jiXeyBZPOMvDz+VjX7+maXbZY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=cWi97GDbWCMdxnukVJ8iD4rd9nCEBBpTHBcd4DCStHqvR2MUhda06Bjf+q1e2RmXZ7 Kv0ynpa0m4+CgKKXTaW1+4JVc5uBQwhutHAU4S4k5Zg9FSjUlkGNeq12LmocLkbvnguQ oviOXTMY5edOq7+YNgvQaUs/ShX9CPPS6NtMY= Received: by 10.229.79.75 with SMTP id o11mr901955qck.96.1283893684239; Tue, 07 Sep 2010 14:08:04 -0700 (PDT) MIME-Version: 1.0 Sender: ivoras@gmail.com Received: by 10.229.222.81 with HTTP; Tue, 7 Sep 2010 14:07:44 -0700 (PDT) In-Reply-To: <20100907200507.GB2804@tops> References: <20100906183838.GA3460@tops> <20100907200507.GB2804@tops> From: Ivan Voras Date: Tue, 7 Sep 2010 23:07:44 +0200 X-Google-Sender-Auth: MOQaUur2yLeobegkPfEV20g-Iec Message-ID: To: Gleb Kurtsou Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-current@freebsd.org Subject: Re: RFC: pefs - stacked cryptographic filesystem X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2010 21:08:06 -0000 On 7 September 2010 22:05, Gleb Kurtsou wrote: > On (07/09/2010 16:27), Ivan Voras wrote: >> On 09/06/10 20:38, Gleb Kurtsou wrote: >> > Hello, >> > >> > I would like to ask for feedback on a kernel level stacked cryptograph= ic >> > filesystem. It has started as Summer Of Code'2009 project and matured = a >> > lot since then. I've recently added support for sparse files and >> > switched to XTS encryption mode. >> >> I've tried it and so far it works :) >> >> > 3. Mount pefs filesystem: >> > # pefs mount ~/Private ~/Private >> >> I see you've used the same example in the man page. Maybe it would be >> better for educational purposes to use two separate directories, e.g. >> ~/Private and ~/Decrypted to avoid confusion by new users (of course not >> all examples need to use this). > Actually I've used the same directory solely for educational purposes -- > there is just one directory, it's either encrypted or not. The other directory is a mount point - this is what I was aiming at. > If user enters k1, the following chain can be retrieved from the > database: k1 k2 k3. All three keys are then added to filesystem. > > In case of k2 chain is k2 k3. > > All entries stored encrypted in a way that child entry can be decrypted > only by parent key. > > Using key chains one can emulate access levels. I don't know if it is cryptographically sound but it seems like too much trouble :) >> > 7. You can setup pam_pefs (not compiled by default) to add key to home >> > directory and authenticate against keychain database on login, e.g. by >> > adding the following line to /etc/pam.d/system before pam_unix.so: >> > >> > auth =C2=A0 =C2=A0 =C2=A0 =C2=A0sufficient =C2=A0 =C2=A0 =C2=A0pam_pef= s.so =C2=A0 =C2=A0 try_first_pass >> >> So, this would bypass passwd and let the user in if his password >> authenticates against the "keychain database" in his home directory? > Exactly, that's the way I use it. More detailed description available > here: http://marc.info/?l=3Dfreebsd-current&m=3D128388197901390&w=3D2 > >> Will it automagically pefs-mount his home directory? > No, not mounting pefs is intentional. It automagically adds keys to > already mounted pefs filesystem. Ok, so for example on a desktop client, a pefs-protected home directory would always be mounted from fstab, and then decrypted on login. Makes sense.