From owner-freebsd-current@FreeBSD.ORG Thu Oct 1 21:44:08 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E8D61065692 for ; Thu, 1 Oct 2009 21:44:08 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id B4DA48FC17 for ; Thu, 1 Oct 2009 21:44:07 +0000 (UTC) Received: by fxm22 with SMTP id 22so580348fxm.36 for ; Thu, 01 Oct 2009 14:44:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=clnva5lEhqtVL/4AaGsm5vLssCH1emsNY0YT9mKXMS0=; b=kUhKqzNRbi4QCTi/Com/3uxXs39Lw68xfoTqQoFYI65NRsH8mahuSRLk9bgylFzLh0 37znIB6xpnhN5DFWZ/3gNLLLcUZq3+ftH3NVsCrwJcRBAx3/Wuiygv77tCuIN2gDopSY O4aSLY1Dofnkwhbih+X4rdPjYIeFrSnC4zmxs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=d2tRKGPdpaoi4Xm3JhRXXIve0jSRD8m1uE1ispubi6ZORaRKIJ84F5NZ8v7J9nub5E LRsxFb4i+J/jYIB1NoAuOkvAA9uQb1U1M+WkLfAydubqh4CDQ/SDb+r7I7JpKN4zglp0 NDkyRF4VkkwfksJv3xdyxuyzkEnfljuWJ1++w= Received: by 10.86.164.6 with SMTP id m6mr1647456fge.42.1254432243324; Thu, 01 Oct 2009 14:24:03 -0700 (PDT) Received: from localhost (lan-78-157-90-54.vln.skynet.lt [78.157.90.54]) by mx.google.com with ESMTPS id e11sm116176fga.23.2009.10.01.14.24.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 01 Oct 2009 14:24:02 -0700 (PDT) Date: Fri, 2 Oct 2009 00:23:43 +0300 From: Gleb Kurtsou To: freebsd-current@freebsd.org Message-ID: <20091001212342.GA1417@tops> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: RFC: kernel level cryptographic filesystem (summer of code project) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 21:44:08 -0000 Hi, During Google Summer of Code this year I was working on kernel level cryptographic filesystem pefs. It looks like the project is mature enough to ask for a public review and comments. I'm using it to encrypt my mailbox for some time already without any issues. For testing I use mostly dbench and fsx tools. Some of pefs features (comparing to other stacked filesystems): * Kernel level implementation (no fuse and similar stuff) * Random per file tweak value used for encryption * Saves metadata only in encrypted file name (doesn't change file content) * Doesn't change encrypted file size * Arbitrary number of keys * Mixing files encrypted with different keys in single directory * Transparent mode of operation (no encryption, read-only, allows accessing filesystem snapshots easily) * Key chaining (though user level utility) * Modern encryption algorithms (AES and Camellia in CTR mode, Salsa20) I've tested it on top of ZFS, UFS and tmpfs (it fails on msdosfs). I use amd64 9-CURRENT but it should work on 8- and 7-STABLE (+ i386). For more information, there are several post on my blog regarding pefs: Step-by-step tutorial: http://blogs.freebsdish.org/gleb/2009/10/01/pefs-encrypting-directory/ Description of cryptographic primitives used: http://blogs.freebsdish.org/gleb/2009/09/23/pefs-crypto-primitives/ And a small benchmark: http://blogs.freebsdish.org/gleb/2009/09/16/pefs-benchmark/ I'd appreciate any feedback and testing. Short instructions on how to start with it: 1. Download tarball: http://www.2shared.com/file/8154727/3dc45b66/pefs-2009-10-01tar.html 2. Unpack into /usr/src 3. Compile and install: # make -C /usr/src/sys/modules/salsa20 obj all install clean # make -C /usr/src/sys/modules/pefs obj all install clean # make -C /usr/src/sbin/pefs obj all install clean It installs 2 modules (pefs, salsa20) and user level configuration utility /sbin/pefs (and /sbin/mount_pefs which is link to /sbin/pefs) 4. Mount pefs filesystem: % pefs mount ~/Private ~/Private 5. Set your passphrase: % pefs addkey ~/Private 6. Test it Thanks, Gleb.