Re: Idea for GEOM and policy based file encryption

From: Victor Balada Diaz <victor_at_bsdes.net>
Date: Wed, 21 Mar 2012 11:09:05 +0100
On Wed, Mar 21, 2012 at 10:47:45AM +0100, Harald Schmalzbauer wrote:
>  Hello,
> 
> I personally don't have the need to encrypt whole filesystems and if I
> need to transfer sensitive data I use gpg to encrypt the tarball or
> whatever.
> But, I'd like to see some single files encrypted on my systems, eg.
> wpasupplicant.conf, ipsec.conf aso.
> Since I recently secured LDAP queries via IPSec, I found this to be the
> absolute perfect solution. Encryption takes place only where really
> needed with about no overhead (compared to SSL-LDAP)
> So would it be imaginable, that there's something like the SPD for
> network sockets also for files?
> The idea is that in this fileSPD, there's the entry that /etc/ipsec.conf
> must be aes encrypted. In a fileSA, there's the info that
> /etc/ipsec.conf can be read by uid xyz (or only one specific kernel,
> identified by something new to implement) and with a special key ID. The
> keys are loadad as modules, optionally symmetric encrypted by passphrase.
> 
> Was such a policy based file encryption control doable with GEOM?
> Maybe it's easier to make use of existing tools like gpg with GEOM
> interaction?
> I don't want to reinvent any file encryption, I just need some automatic
> encryption (without _mandatory_ interaction) with lowest possible bypass
> possibilities.
> 
> Thanks,
> 

Hello Harald,

I'm not an expert, but i guess that GEOM is not the place for that kind of
encryption. GEOM have no knowledge about files or directories. That is
file system specific.

You would need to modify UFS, or maybe do something like CFS[1]. CFS works
as an NFS server and you could modify it to only cipher the needed files.

Also you could write a simple FS on FUSE, but last time i checked, our
FUSE support had some problems.

I hope it helps.

Regards.
Victor.

[1]: http://www.crypto.com/software/

-- 
La prueba más fehaciente de que existe vida inteligente en otros
planetas, es que no han intentado contactar con nosotros. 
Received on Wed Mar 21 2012 - 09:09:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:25 UTC