On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey <jhs_at_berklix.com> wrote: > Hi Gleb & All > Gleb Kurtsou wrote: >> Hello, >> >> I would like to ask everybody's opinion regarding committing PEFS to >> CURRENT. >> >> PEFS is a stacked cryptographic file system for FreeBSD. Development >> started as Google Summer of Code project in 2009. It has been in ports >> since Sept 2011. I maintain the project. >> >> Conceptually PEFS is similar to nullfs adding encryption layer on top of >> it. But it differs technically by not using vop_bypass. Another popular >> stacked cryptographic file systems include eCryptfs (linux) and encfs >> (fuse). There is also pam_pefs pam module to allow user authentication >> with their PEFS-encrypted home directory password. > > 2 others are also already in FreeBSD src/ (not just ports) gbde & geli. geli and gbde are different concept, they provide encrypted block level devices. PEFS transparently encrypts data on existing file system. Here is what you can do with PEFS: % mkdir ~/Private % pefs mount ~/Private ~/Private % pefs addkey ~/Private % echo "Hello WORLD" > ~/Private/test % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test % cat ~/Private/test Hello WORLD % pefs unmount ~/Private % ls -Al ~/Private total 1 -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq % hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq 00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_| 0000000c Take a look a great article in the BSD Magazine or http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html > Whether moved from ports to src or not, either way, > I sggest add to man section SEE ALSO gbde(8) & geli(8) Good point, thanks. > Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod > ft: Command not found. > > No pefs yet i SEE ALSO of > http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > I suggest add an href inside: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html > Even if just a 1 liner to start, to expand to a section later. > (None there for 'pefs', I just searched) > > Personaly I've been using gbde based on top of a file inside a UFS > for a long time, I can't remember why I chose gbde rather than geli, > I guess because it was there first ? > > A dummy's guide short notes along the lines of "Which of these 3 should I use?" > might also later be nice at the top of that web page :-) > There is no answer for the question, each system does it's own thing and does it differently: * With PEFS backups are much easier: - Use regular backup software for backing up encrypted data (lower level file system), that would allow delta backup only. - Create file system snapshots, e.g. zfs, then zfs send/receive, regardless whether file system is encrypted or not. * Setting up multiple encrypted file system is much easier -- no need to preallocate storage and create file system. * With PEFS it's possible to add key to encrypted home directory during login (pam_pefs). * PEFS let's you use multiple key in same file system. Thanks, Gleb.Received on Mon Oct 07 2013 - 18:26:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:42 UTC