Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 07 Sep 2010 16:27:19 +0200
From:      Ivan Voras <ivoras@freebsd.org>
To:        freebsd-current@freebsd.org
Subject:   Re: RFC: pefs - stacked cryptographic filesystem
Message-ID:  <i65i47$vnl$1@dough.gmane.org>
In-Reply-To: <20100906183838.GA3460@tops>
References:  <20100906183838.GA3460@tops>

next in thread | previous in thread | raw e-mail | index | archive | help
On 09/06/10 20:38, Gleb Kurtsou wrote:
> Hello,
>
> I would like to ask for feedback on a kernel level stacked cryptographic
> filesystem. It has started as Summer Of Code'2009 project and matured a
> lot since then. I've recently added support for sparse files and
> switched to XTS encryption mode.

I've tried it and so far it works :)

> 3. Mount pefs filesystem:
> # pefs mount ~/Private ~/Private

I see you've used the same example in the man page. Maybe it would be 
better for educational purposes to use two separate directories, e.g. 
~/Private and ~/Decrypted to avoid confusion by new users (of course not 
all examples need to use this).

> 6. Example how to save your key in keychain database.

This is probably in line with what rwatson said (and would be covered by 
the same document): can you describe what keychains actually do?

> 7. You can setup pam_pefs (not compiled by default) to add key to home
> directory and authenticate against keychain database on login, e.g. by
> adding the following line to /etc/pam.d/system before pam_unix.so:
>
> auth	sufficient	pam_pefs.so	try_first_pass

So, this would bypass passwd and let the user in if his password 
authenticates against the "keychain database" in his home directory? 
Will it automagically pefs-mount his home directory?

> *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
>      PKCS#5v2 and HKDF for key generation.

I do have an request: since you are already using kernel crypto support, 
it would be simple to just throw Blowfish in :) If for nothing else, 
consider it a gift to those who are fond of Blowfish's large key sizes 
(upto 448 bits).

Actually, it would probably be seen as a reflection of consistency to 
implement the same algorithms that geli(8) implements. geli doesn't 
implement XTS yet - if your XTS code proves to be stable it would be a 
good thing to include it as standard and then use it from geli.

I see you've copied SHA2 code to the pefs code. What is wrong with just 
using the kernel's SHA2 implementation?




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i65i47$vnl$1>