On 7 September 2010 22:05, Gleb Kurtsou <gleb.kurtsou_at_gmail.com> wrote: > On (07/09/2010 16:27), Ivan Voras wrote: >> On 09/06/10 20:38, Gleb Kurtsou wrote: >> > Hello, >> > >> > I would like to ask for feedback on a kernel level stacked cryptographic >> > filesystem. It has started as Summer Of Code'2009 project and matured a >> > lot since then. I've recently added support for sparse files and >> > switched to XTS encryption mode. >> >> I've tried it and so far it works :) >> >> > 3. Mount pefs filesystem: >> > # pefs mount ~/Private ~/Private >> >> I see you've used the same example in the man page. Maybe it would be >> better for educational purposes to use two separate directories, e.g. >> ~/Private and ~/Decrypted to avoid confusion by new users (of course not >> all examples need to use this). > Actually I've used the same directory solely for educational purposes -- > there is just one directory, it's either encrypted or not. The other directory is a mount point - this is what I was aiming at. > If user enters k1, the following chain can be retrieved from the > database: k1 k2 k3. All three keys are then added to filesystem. > > In case of k2 chain is k2 k3. > > All entries stored encrypted in a way that child entry can be decrypted > only by parent key. > > Using key chains one can emulate access levels. I don't know if it is cryptographically sound but it seems like too much trouble :) >> > 7. You can setup pam_pefs (not compiled by default) to add key to home >> > directory and authenticate against keychain database on login, e.g. by >> > adding the following line to /etc/pam.d/system before pam_unix.so: >> > >> > auth sufficient pam_pefs.so try_first_pass >> >> So, this would bypass passwd and let the user in if his password >> authenticates against the "keychain database" in his home directory? > Exactly, that's the way I use it. More detailed description available > here: http://marc.info/?l=freebsd-current&m=128388197901390&w=2 > >> Will it automagically pefs-mount his home directory? > No, not mounting pefs is intentional. It automagically adds keys to > already mounted pefs filesystem. Ok, so for example on a desktop client, a pefs-protected home directory would always be mounted from fstab, and then decrypted on login. Makes sense.Received on Tue Sep 07 2010 - 19:08:06 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:07 UTC