From owner-freebsd-fs@FreeBSD.ORG Wed Mar 21 10:09:12 2012 Return-Path: Delivered-To: fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 263AF1065673; Wed, 21 Mar 2012 10:09:12 +0000 (UTC) (envelope-from victor@bsdes.net) Received: from equilibrium.bsdes.net (244.Red-217-126-240.staticIP.rima-tde.net [217.126.240.244]) by mx1.freebsd.org (Postfix) with ESMTP id BD42F8FC21; Wed, 21 Mar 2012 10:09:11 +0000 (UTC) Received: by equilibrium.bsdes.net (Postfix, from userid 1001) id 4283639844; Wed, 21 Mar 2012 11:09:05 +0100 (CET) Date: Wed, 21 Mar 2012 11:09:05 +0100 From: Victor Balada Diaz To: Harald Schmalzbauer Message-ID: <20120321100905.GN5886@equilibrium.bsdes.net> References: <4F69A3C1.7040305@omnilan.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4F69A3C1.7040305@omnilan.de> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD current , fs@freebsd.org Subject: Re: Idea for GEOM and policy based file encryption X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 10:09:12 -0000 On Wed, Mar 21, 2012 at 10:47:45AM +0100, Harald Schmalzbauer wrote: > Hello, > > I personally don't have the need to encrypt whole filesystems and if I > need to transfer sensitive data I use gpg to encrypt the tarball or > whatever. > But, I'd like to see some single files encrypted on my systems, eg. > wpasupplicant.conf, ipsec.conf aso. > Since I recently secured LDAP queries via IPSec, I found this to be the > absolute perfect solution. Encryption takes place only where really > needed with about no overhead (compared to SSL-LDAP) > So would it be imaginable, that there's something like the SPD for > network sockets also for files? > The idea is that in this fileSPD, there's the entry that /etc/ipsec.conf > must be aes encrypted. In a fileSA, there's the info that > /etc/ipsec.conf can be read by uid xyz (or only one specific kernel, > identified by something new to implement) and with a special key ID. The > keys are loadad as modules, optionally symmetric encrypted by passphrase. > > Was such a policy based file encryption control doable with GEOM? > Maybe it's easier to make use of existing tools like gpg with GEOM > interaction? > I don't want to reinvent any file encryption, I just need some automatic > encryption (without _mandatory_ interaction) with lowest possible bypass > possibilities. > > Thanks, > Hello Harald, I'm not an expert, but i guess that GEOM is not the place for that kind of encryption. GEOM have no knowledge about files or directories. That is file system specific. You would need to modify UFS, or maybe do something like CFS[1]. CFS works as an NFS server and you could modify it to only cipher the needed files. Also you could write a simple FS on FUSE, but last time i checked, our FUSE support had some problems. I hope it helps. Regards. Victor. [1]: http://www.crypto.com/software/ -- La prueba más fehaciente de que existe vida inteligente en otros planetas, es que no han intentado contactar con nosotros.