Re: RFC: pefs - stacked cryptographic filesystem

From: Gleb Kurtsou <gleb.kurtsou_at_gmail.com>
Date: Tue, 7 Sep 2010 02:03:22 +0300
Sorry for replying to myself, I've realized I put wrong download link:
http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz

On (06/09/2010 21:38), Gleb Kurtsou wrote:
> Hello,
> 
> I would like to ask for feedback on a kernel level stacked cryptographic
> filesystem. It has started as Summer Of Code'2009 project and matured a
> lot since then. I've recently added support for sparse files and
> switched to XTS encryption mode.
> 
> I've been using it to encrypt my home directory for almost a year
> already, and use fsx, dbench and blogbench for testing. So it should be
> fairly stable.
> 
> Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
> and 8-STABLE supported.
> 
> Please email me separately if you're willing to help testing on big
> endian machine, XTS code doesn't look endian correct.
> 
> At this point all of the project goals complete and I'd like it to get
> wider coverage in terms of tests and reviews and hope to see it commited
> to HEAD soon.
> 
> 
> Installation instructions:
> 
> 1a. Clone git repository:
> # git clone git://github.com/glk/pefs.git pefs
> # cd pefs
> 
> 1b. Or download latest snapshot from github:
> http://github.com/glk/pefs/archives/master

Or use direct download link:
http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz

> 
> 2. Build and install:
> # make obj all
> # make install
> 
> 3. Mount pefs filesystem:
> # pefs mount ~/Private ~/Private
> 
> 4. Enter passphrase:
> # pefs addkey ~/Private
> 
> 5. Test it and report back. There is also a man page available.
> 
> 6. Example how to save your key in keychain database.
> 
> pefs has to be mounted and key specified to make fs writable, create
> keychain with single entry (keychain -Z option):
> # pefs addchain -Z ~/Private
> Don't encrypt .pefs.db:
> # mv ~/Private/.pefs.db /tmp
> # umount ~/Private
> # mv /tmp/.pefs.db ~/Private
> # pefs mount ~/Private ~/Private
> Use -c option to verify key is in database
> # pefs addkey -c ~/Private
> 
> 7. You can setup pam_pefs (not compiled by default) to add key to home
> directory and authenticate against keychain database on login, e.g. by
> adding the following line to /etc/pam.d/system before pam_unix.so:
> 
> auth	sufficient	pam_pefs.so	try_first_pass
> 
> 
> The following is a list of its most important features:
> 
> *   Kernel level file system, no user level daemons needed.
>     Transparently runs on top of existing file systems.
> *   Random per file tweak value used for encryption, which guaranties
>     different cipher texts for the same encrypted files.
> *   Saves metadata only in encrypted file name, but not in file itself.
> *   Supports arbitrary number of keys per file system, default directory
>     key, mixing files encrypted with different keys in same directory.
> *   Allows defining key chains, can be used to add/delete several keys
>     by specifying only master key.
> *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
>     PKCS#5v2 and HKDF for key generation.
> 
> 
> Github repository: http://github.com/glk/pefs
> 
> More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
> 
> Thanks,
> Gleb.
> 
Received on Mon Sep 06 2010 - 21:03:32 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:07 UTC