Date: Mon, 07 Oct 2013 12:53:10 -0400 From: Nikolai Lifanov <lifanov@mail.lifanov.com> To: Gleb Kurtsou <gleb@freebsd.org> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Committing PEFS to CURRENT Message-ID: <5252E6F6.80009@mail.lifanov.com> In-Reply-To: <20131007163111.GB1590@reks.swifttest.com> References: <20131007163111.GB1590@reks.swifttest.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/07/13 12:31, Gleb Kurtsou wrote: > Hello, > > I would like to ask everybody's opinion regarding committing PEFS to > CURRENT. > > PEFS is a stacked cryptographic file system for FreeBSD. Development > started as Google Summer of Code project in 2009. It has been in ports > since Sept 2011. I maintain the project. > > Conceptually PEFS is similar to nullfs adding encryption layer on top of > it. But it differs technically by not using vop_bypass. Another popular > stacked cryptographic file systems include eCryptfs (linux) and encfs > (fuse). There is also pam_pefs pam module to allow user authentication > with their PEFS-encrypted home directory password. > > For those interested in high level introduction I would highly recommend > article by Kris Moore in the BSD Magazine Issue 09/2013(50) - > http://bsdmag.org/magazine/1848-day-to-day-bsd-administration > > We are very close to branching 10-STABLE now, but patch is > non-intrusive, it only adds new functionality, enabling PEFS for i386 > and amd64 (platforms it's known to work on). Patch passes make universe. > > Patch is available here: > https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch > > Pros/cons: > > - Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS > who are already committed to use PEFS in next product releases, e.g. > PCBSD provides encrypted home directories. > > - There is steady interest in the project from users (emails, etc). > Many of them note that file system is not well known yet. Moving PEFS > to base would greatly increase its exposure. > > - Committing PEFS to base would also simplify maintenance by keeping it > in sync with other subsystems, e.g. it will be updated on large scale > changes like VM locking. > > - There are no bugs known at the moment. I've been using it to encrypt > home directory since day one. pho@ ran stress test suite on it a > while back, number of bugs was fixed. > > - PEFS is known to work on amd64 and i386 only. Big endian system and > systems with page size larger than 4k are not tested. > > - NOTE! There has been no cryptography review. I'd like to suggest to > add warning about file system and crypto used is experimental and hasn't > undergone professional review. Similar to one we had in tmpfs. > > > BSD Magazine article: > http://bsdmag.org/magazine/1848-day-to-day-bsd-administration > > Port: > http://www.freshports.org/sysutils/pefs-kmod/ > > Source code repository: > https://github.com/glk/pefs > > FreeBSD DevSummit'2011 - pefs presentation slides: > https://pefs.googlecode.com/files/pefs-devsummit.pdf > > FreeBSD wiki page: > https://wiki.freebsd.org/PEFS > > > I would really appreciate any comments or suggestions. > > > Thank you, > Gleb. Just a personal note: I hoped that you would commit pefs to base someday. It works well, and is the type of a core functionality that would be nice to have as early as the install ISO, before skel is copied over for the first user. I would be happy if this happened. - Nikolai Lifanov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5252E6F6.80009>