From owner-freebsd-current@FreeBSD.ORG Wed Mar 21 09:52:40 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19BFF106564A; Wed, 21 Mar 2012 09:52:40 +0000 (UTC) (envelope-from h.schmalzbauer@omnilan.de) Received: from host.omnilan.net (s1.omnilan.net [62.245.232.135]) by mx1.freebsd.org (Postfix) with ESMTP id 7D41B8FC1B; Wed, 21 Mar 2012 09:52:39 +0000 (UTC) Received: from titan.wdn.omnilan.net (titan.lo4.wdn.omnilan.net [172.21.1.150]) (authenticated bits=0) by host.omnilan.net (8.13.8/8.13.8) with ESMTP id q2L9ljt8078526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Mar 2012 10:47:46 +0100 (CET) (envelope-from h.schmalzbauer@omnilan.de) X-Authentication-Warning: smtp.dmz.omnisec.de: Host titan.lo4.wdn.omnilan.net [172.21.1.150] claimed to be titan.wdn.omnilan.net Message-ID: <4F69A3C1.7040305@omnilan.de> Date: Wed, 21 Mar 2012 10:47:45 +0100 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: FreeBSD current , fs@freebsd.org X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4C62FB53990859A065C0C028" Cc: Subject: Idea for GEOM and policy based file encryption X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 09:52:40 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4C62FB53990859A065C0C028 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hello, I personally don't have the need to encrypt whole filesystems and if I need to transfer sensitive data I use gpg to encrypt the tarball or whatever. But, I'd like to see some single files encrypted on my systems, eg. wpasupplicant.conf, ipsec.conf aso. Since I recently secured LDAP queries via IPSec, I found this to be the absolute perfect solution. Encryption takes place only where really needed with about no overhead (compared to SSL-LDAP) So would it be imaginable, that there's something like the SPD for network sockets also for files? The idea is that in this fileSPD, there's the entry that /etc/ipsec.conf must be aes encrypted. In a fileSA, there's the info that /etc/ipsec.conf can be read by uid xyz (or only one specific kernel, identified by something new to implement) and with a special key ID. The keys are loadad as modules, optionally symmetric encrypted by passphrase.= Was such a policy based file encryption control doable with GEOM? Maybe it's easier to make use of existing tools like gpg with GEOM interaction? I don't want to reinvent any file encryption, I just need some automatic encryption (without _mandatory_ interaction) with lowest possible bypass possibilities. Thanks, -Harry --------------enig4C62FB53990859A065C0C028 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk9po8EACgkQLDqVQ9VXb8j6xgCgxVpAQljNs8vZfCe23dGVv9vz WnIAn275iF4JqId1nUfmaic2DdCyA1bI =Qdxc -----END PGP SIGNATURE----- --------------enig4C62FB53990859A065C0C028--