Re: RFC: pefs - stacked cryptographic filesystem

From: Gleb Kurtsou <gleb.kurtsou_at_gmail.com>
Date: Tue, 7 Sep 2010 21:03:24 +0300
Thanks to Peter Holm and Thomas Vogt for finding several bugs:
* Compilation with DIAGNOSTIC option
* Vnode reference and lock leak in pefs_rename()

I've uploaded new version to test:
http://github.com/downloads/glk/pefs/pefs-2010-09-07.tar.gz

Github repository is also updated.

Also note, that if you have extra debugging options like DEBUG_LOCKS in
your kernel config pefs module has to be build with same options.
I set KERNBUILDDIR to my kernel build directory to make it work:
# uname -v
FreeBSD 9.0-CURRENT #25 r212049+d758796: Tue Aug 31 22:09:45 EEST 2010     root_at_tops:/usr/obj/freebsd-src/local/sys/TOPS
# export KERNBUILDDIR=/usr/obj/freebsd-src/local/sys/TOPS
# cd pefs/sys/modules/pefs
# make clean
# make && make install

Thanks,
Gleb.

On (06/09/2010 21:38), Gleb Kurtsou wrote:
> Hello,
> 
> I would like to ask for feedback on a kernel level stacked cryptographic
> filesystem. It has started as Summer Of Code'2009 project and matured a
> lot since then. I've recently added support for sparse files and
> switched to XTS encryption mode.
> 
> I've been using it to encrypt my home directory for almost a year
> already, and use fsx, dbench and blogbench for testing. So it should be
> fairly stable.
> 
> Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
> and 8-STABLE supported.
> 
> Please email me separately if you're willing to help testing on big
> endian machine, XTS code doesn't look endian correct.
> 
> At this point all of the project goals complete and I'd like it to get
> wider coverage in terms of tests and reviews and hope to see it commited
> to HEAD soon.
> 
> 
> Installation instructions:
> 
> 1a. Clone git repository:
> # git clone git://github.com/glk/pefs.git pefs
> # cd pefs
> 
> 1b. Or download latest snapshot from github:
> http://github.com/glk/pefs/archives/master
> 
> 2. Build and install:
> # make obj all
> # make install
> 
> 3. Mount pefs filesystem:
> # pefs mount ~/Private ~/Private
> 
> 4. Enter passphrase:
> # pefs addkey ~/Private
> 
> 5. Test it and report back. There is also a man page available.
> 
> 6. Example how to save your key in keychain database.
> 
> pefs has to be mounted and key specified to make fs writable, create
> keychain with single entry (keychain -Z option):
> # pefs addchain -Z ~/Private
> Don't encrypt .pefs.db:
> # mv ~/Private/.pefs.db /tmp
> # umount ~/Private
> # mv /tmp/.pefs.db ~/Private
> # pefs mount ~/Private ~/Private
> Use -c option to verify key is in database
> # pefs addkey -c ~/Private
> 
> 7. You can setup pam_pefs (not compiled by default) to add key to home
> directory and authenticate against keychain database on login, e.g. by
> adding the following line to /etc/pam.d/system before pam_unix.so:
> 
> auth	sufficient	pam_pefs.so	try_first_pass
> 
> 
> The following is a list of its most important features:
> 
> *   Kernel level file system, no user level daemons needed.
>     Transparently runs on top of existing file systems.
> *   Random per file tweak value used for encryption, which guaranties
>     different cipher texts for the same encrypted files.
> *   Saves metadata only in encrypted file name, but not in file itself.
> *   Supports arbitrary number of keys per file system, default directory
>     key, mixing files encrypted with different keys in same directory.
> *   Allows defining key chains, can be used to add/delete several keys
>     by specifying only master key.
> *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
>     PKCS#5v2 and HKDF for key generation.
> 
> 
> Github repository: http://github.com/glk/pefs
> 
> More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
> 
> Thanks,
> Gleb.
> 
Received on Tue Sep 07 2010 - 16:03:31 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:07 UTC