From owner-freebsd-current@FreeBSD.ORG Mon Oct 7 22:57:18 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2473F3F9; Mon, 7 Oct 2013 22:57:18 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A3A1D2BD3; Mon, 7 Oct 2013 22:57:16 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE81A.dip0.t-ipconnect.de [217.251.232.26]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id r97MvEWx047465; Mon, 7 Oct 2013 22:57:14 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id r97Mv1ts045210; Tue, 8 Oct 2013 00:57:01 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost.js.berklix.net [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r97Mug2q017915; Tue, 8 Oct 2013 00:56:48 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201310072256.r97Mug2q017915@fire.js.berklix.net> To: Gleb Kurtsou Subject: Re: Committing PEFS to CURRENT From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Mon, 07 Oct 2013 13:26:23 PDT." Date: Tue, 08 Oct 2013 00:56:42 +0200 Sender: jhs@berklix.com Cc: "freebsd-current@freebsd.org" , "delphij@freebsd.org" , Kris Moore X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2013 22:57:18 -0000 Gleb Kurtsou wrote: > On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey wrote: > > Hi Gleb & All > > Gleb Kurtsou wrote: > >> Hello, > >> > >> I would like to ask everybody's opinion regarding committing PEFS to > >> CURRENT. > >> > >> PEFS is a stacked cryptographic file system for FreeBSD. Development > >> started as Google Summer of Code project in 2009. It has been in ports > >> since Sept 2011. I maintain the project. > >> > >> Conceptually PEFS is similar to nullfs adding encryption layer on top of > >> it. But it differs technically by not using vop_bypass. Another popular > >> stacked cryptographic file systems include eCryptfs (linux) and encfs > >> (fuse). There is also pam_pefs pam module to allow user authentication > >> with their PEFS-encrypted home directory password. > > > > 2 others are also already in FreeBSD src/ (not just ports) gbde & geli. > > geli and gbde are different concept, they provide encrypted block level devices. Yes, I allocate eg 2 Gig { via dd on a file on UFS or an MBR partition on a USB stick }, [then use mdconfig if a file on UFS] before I gbde, I've always thought I'd have to bite the ZFS bullet to escape fixed sizing, but PEFS offers variable sizing :-) > PEFS transparently encrypts data on existing file system. > > Here is what you can do with PEFS: > % mkdir ~/Private > % pefs mount ~/Private ~/Private > % pefs addkey ~/Private > % echo "Hello WORLD" > ~/Private/test > % ls -Al ~/Private > total 1 > -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test > % cat ~/Private/test > Hello WORLD > % pefs unmount ~/Private > % ls -Al ~/Private > total 1 > -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq > % hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq > 00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_| > 0000000c Nice. > Take a look a great article in the BSD Magazine or Downloaded (free) > http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html Will do. > > Whether moved from ports to src or not, either way, > > I sggest add to man section SEE ALSO gbde(8) & geli(8) > > Good point, thanks. > > > > Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod > > ft: Command not found. Sorry, line above my mouse seems to have caught my mistyped vi !}fmt from elsewhere. > > No pefs yet i SEE ALSO of > > http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > > > I suggest add an href inside: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html > > Even if just a 1 liner to start, to expand to a section later. > > (None there for 'pefs', I just searched) > > > > Personaly I've been using gbde based on top of a file inside a UFS > > for a long time, I can't remember why I chose gbde rather than geli, > > I guess because it was there first ? > > > > A dummy's guide short notes along the lines of "Which of these 3 should I use?" > > might also later be nice at the top of that web page :-) > > > > There is no answer for the question, each system does it's own thing > and does it differently: > * With PEFS backups are much easier: > - Use regular backup software for backing up encrypted data (lower > level file system), that would allow delta backup only. Sorry, I don't quite understand what's meant. ( I use rdist6 to backup individual changes in one tree to a tree on gbde on an mdconfig'd image on a ufs on a remote host or local USB stick, Easy after set up, all normal tools work, but yes, target size is fixed unlike PEFS. ) > - Create file system snapshots, e.g. zfs, then zfs send/receive, > regardless whether file system is encrypted or not. > * Setting up multiple encrypted file system is much easier -- no need > to preallocate storage and create file system. > * With PEFS it's possible to add key to encrypted home directory > during login (pam_pefs). > * PEFS let's you use multiple key in same file system. Useful, I hope it makes it to src/ I suggest contribute summary above to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html Thanks Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.