Gleb Kurtsou wrote: > On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey <jhs_at_berklix.com> wrote: > > Hi Gleb & All > > Gleb Kurtsou wrote: > >> Hello, > >> > >> I would like to ask everybody's opinion regarding committing PEFS to > >> CURRENT. > >> > >> PEFS is a stacked cryptographic file system for FreeBSD. Development > >> started as Google Summer of Code project in 2009. It has been in ports > >> since Sept 2011. I maintain the project. > >> > >> Conceptually PEFS is similar to nullfs adding encryption layer on top of > >> it. But it differs technically by not using vop_bypass. Another popular > >> stacked cryptographic file systems include eCryptfs (linux) and encfs > >> (fuse). There is also pam_pefs pam module to allow user authentication > >> with their PEFS-encrypted home directory password. > > > > 2 others are also already in FreeBSD src/ (not just ports) gbde & geli. > > geli and gbde are different concept, they provide encrypted block level devices. Yes, I allocate eg 2 Gig { via dd on a file on UFS or an MBR partition on a USB stick }, [then use mdconfig if a file on UFS] before I gbde, I've always thought I'd have to bite the ZFS bullet to escape fixed sizing, but PEFS offers variable sizing :-) > PEFS transparently encrypts data on existing file system. > > Here is what you can do with PEFS: > % mkdir ~/Private > % pefs mount ~/Private ~/Private > % pefs addkey ~/Private > % echo "Hello WORLD" > ~/Private/test > % ls -Al ~/Private > total 1 > -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test > % cat ~/Private/test > Hello WORLD > % pefs unmount ~/Private > % ls -Al ~/Private > total 1 > -rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq > % hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq > 00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_| > 0000000c Nice. > Take a look a great article in the BSD Magazine or Downloaded (free) > http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html Will do. > > Whether moved from ports to src or not, either way, > > I sggest add to man section SEE ALSO gbde(8) & geli(8) > > Good point, thanks. > > > > Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod > > ft: Command not found. Sorry, line above my mouse seems to have caught my mistyped vi !}fmt from elsewhere. > > No pefs yet i SEE ALSO of > > http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html > > > > I suggest add an href inside: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html > > Even if just a 1 liner to start, to expand to a section later. > > (None there for 'pefs', I just searched) > > > > Personaly I've been using gbde based on top of a file inside a UFS > > for a long time, I can't remember why I chose gbde rather than geli, > > I guess because it was there first ? > > > > A dummy's guide short notes along the lines of "Which of these 3 should I use?" > > might also later be nice at the top of that web page :-) > > > > There is no answer for the question, each system does it's own thing > and does it differently: > * With PEFS backups are much easier: > - Use regular backup software for backing up encrypted data (lower > level file system), that would allow delta backup only. Sorry, I don't quite understand what's meant. ( I use rdist6 to backup individual changes in one tree to a tree on gbde on an mdconfig'd image on a ufs on a remote host or local USB stick, Easy after set up, all normal tools work, but yes, target size is fixed unlike PEFS. ) > - Create file system snapshots, e.g. zfs, then zfs send/receive, > regardless whether file system is encrypted or not. > * Setting up multiple encrypted file system is much easier -- no need > to preallocate storage and create file system. > * With PEFS it's possible to add key to encrypted home directory > during login (pam_pefs). > * PEFS let's you use multiple key in same file system. Useful, I hope it makes it to src/ I suggest contribute summary above to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html Thanks Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.Received on Mon Oct 07 2013 - 20:57:18 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:42 UTC